CVE-2025-15463 Overview
CVE-2025-15463 affects the Advanced Custom Fields: Extended plugin for WordPress in all versions up to and including 0.9.2.3. The plugin executes the WordPress do_shortcode function on user-supplied input without proper validation. Unauthenticated attackers can submit crafted values that trigger arbitrary shortcode execution on the target site. The flaw is classified under CWE-94: Improper Control of Generation of Code.
Critical Impact
Unauthenticated attackers can execute arbitrary WordPress shortcodes remotely over the network, leading to information disclosure and content manipulation depending on which shortcodes are registered on the target site.
Affected Products
- Advanced Custom Fields: Extended plugin for WordPress
- All plugin versions through 0.9.2.3
- WordPress sites using the plugin's form module (email action and front-end render)
Discovery Timeline
- 2026-05-12 - CVE-2025-15463 published to NVD
- 2026-05-13 - Last updated in NVD database
Technical Details for CVE-2025-15463
Vulnerability Analysis
The Advanced Custom Fields: Extended (ACF Extended) plugin extends the popular ACF plugin with additional form-building features. The vulnerability resides in the plugin's form module, specifically in the email action handler (module-form-action-email.php) and the front-end render logic (module-form-front-render.php). Both code paths pass user-controlled values to the WordPress core function do_shortcode without first validating or stripping shortcode tags.
WordPress shortcodes are macros enclosed in square brackets that execute registered PHP callbacks. When do_shortcode is invoked on attacker-controlled input, the plugin runs any shortcode registered on the site, including those provided by other plugins or themes. An attacker who supplies a payload such as a registered gallery, user listing, or file-rendering shortcode can trigger that code path without authentication.
The issue results in limited confidentiality and integrity impact, as defined by the CVSS vector, because the attacker is constrained to whatever shortcodes are already registered. Sites that register sensitive shortcodes (for example, ones that disclose user data or render private content) face a higher effective risk.
Root Cause
The root cause is missing input validation before invoking do_shortcode. The plugin treats form-supplied values as safe template content rather than untrusted input. There is no allowlist of permitted shortcodes and no sanitization step that strips bracketed shortcode syntax from user submissions.
Attack Vector
The attack is delivered over the network with low complexity and requires no authentication or user interaction. An unauthenticated attacker submits a request to a WordPress page that renders an ACF Extended form, embedding shortcode syntax inside a form field that is later processed by the vulnerable email action or front render code paths. The server then executes the shortcode in the context of the rendering request.
The vulnerability is described in prose only because no verified proof-of-concept code is available. Source-level details for the affected functions are available in the ACF Extended email action source and the ACF Extended front render source.
Detection Methods for CVE-2025-15463
Indicators of Compromise
- HTTP POST requests to pages hosting ACF Extended forms containing bracketed shortcode syntax such as [shortcode_name] inside form field values
- Unexpected outbound emails generated by the plugin's email action that contain rendered shortcode output
- WordPress access logs showing repeated submissions to the same form endpoint from a single IP with varied shortcode payloads
- Anomalous invocations of registered shortcode callbacks correlated with form submission requests
Detection Strategies
- Inspect WordPress request bodies for shortcode patterns (\[[a-z0-9_-]+) in form fields belonging to ACF Extended forms
- Audit installed plugin versions and flag any ACF Extended deployment at or below 0.9.2.3
- Correlate form submissions with execution of privileged shortcodes that expose user, post, or file data
Monitoring Recommendations
- Enable WordPress debug logging for the form module and capture all values passed to do_shortcode
- Forward web server and WordPress application logs to a centralized log platform for retention and correlation
- Alert on unauthenticated submissions to ACF Extended endpoints that contain shortcode brackets in their payloads
How to Mitigate CVE-2025-15463
Immediate Actions Required
- Identify all WordPress instances running the Advanced Custom Fields: Extended plugin and inventory their versions
- Upgrade ACF Extended to a version newer than 0.9.2.3 once the vendor releases a fixed build
- Disable or remove ACF Extended form modules on internet-facing sites until the patch is applied
- Review registered shortcodes and remove any that expose sensitive data or perform privileged actions
Patch Information
The vulnerability affects all releases through 0.9.2.3. Administrators should monitor the plugin's WordPress.org listing for a release that addresses the shortcode validation issue. Additional context is published in the Wordfence vulnerability analysis.
Workarounds
- Place the WordPress site behind a web application firewall that strips or blocks shortcode syntax in form submissions
- Temporarily disable the ACF Extended plugin until the patched version is installed
- Restrict access to pages containing ACF Extended forms using authentication or IP allowlists where feasible
- Unregister non-essential shortcodes to reduce the attack surface available to do_shortcode
# Example: list and disable the plugin using WP-CLI
wp plugin list --name=acf-extended --fields=name,status,version
wp plugin deactivate acf-extended
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
