Critical WordPress Plugin Flaws Threaten Tens of Thousands of Sites

Continue reading
A coordinated surge of exploit activity targeting two high-impact WordPress plugin vulnerabilities has put more than 110,000 websites at immediate risk of full compromise. The vulnerabilities — an unauthenticated Remote Code Execution (RCE) flaw in Advanced Custom Fields: Extended (ACF Extended) and an unauthenticated administrator-creation exploit in King Addons for Elementor — dramatically escalate the threat surface for WordPress sites across industries.
Both flaws are zero-click, no-authentication, and weaponized in the wild, making them among the most critical WordPress threats disclosed this year.
The vulnerability in ACF Extended emerged from a code path inside the plugin’s form preparation routine. A non-privileged actor can inject arbitrary parameters into a function that is eventually passed through PHP's `call_user_func_array()`, enabling the direct execution of attacker-controlled code on the hosting server.
This flaw effectively collapses the boundary between WordPress and the underlying server, allowing attackers to pivot from web-level access to complete system-level dominance.
Analysis of similar code-execution chains shows that adversaries typically follow a predictable pattern:
Version 0.9.2 patches the flaw, but telemetry indicates that a high percentage of active installations remain outdated.
The second threat originates from a privilege-handling failure inside the King Addons AJAX registration module. By design, user role assignment should be enforced on the server. Instead, the plugin accepts the `user_role` parameter directly from the client, enabling attackers to register themselves as administrators.
Because the entire operation is executed through `admin-ajax.php`, no authentication is required.
This flaw provides attackers a frictionless route to full site control, including:
Threat groups began abusing the flaw almost immediately after disclosure. Recorded exploit activity includes:
This vulnerability is already functioning as an entry point in large-scale botnet campaigns, indicating its widespread abuse.
These two vulnerabilities, though distinct in nature, share a dangerous alignment:
In technical terms, these vulnerabilities offer two of the most valuable primitives in exploitation:
When used together, they form a complete compromise chain capable of collapsing an entire digital infrastructure.
This has substantial implications for:
| Attack Goal | Achieved Through |
|---|---|
| Full administrative takeover | King Addons |
| Server command execution | ACF Extended |
| Data theft / DB extraction | Both |
| Ransomware payload delivery | ACF Extended |
| SEO spam / malicious redirect injections | Both |
| Email phishing infrastructure deployment | King Addons |
| Botnet node recruitment | ACF Extended (post-RCE) |
Administrators should immediately investigate if they observe:
To reduce exposure to similar threats:
WordPress doesn’t fail because it’s insecure — it fails because its plugin ecosystem is porous, fragmented, and inconsistently maintained. These two vulnerabilities exemplify how quickly a neglected update can escalate into a full-scale compromise.
The dual emergence of an RCE flaw and a privilege-escalation flaw in popular WordPress plugins signals a critical moment for the ecosystem. Attackers no longer rely on brute force or credential stuffing — they exploit logic flaws, unsafe developer assumptions, and update fatigue.

148 malicious npm packages masquerading as student proxy and school Wi-Fi bypass tools. Rather than compromising developers during installation