CVE•Published 2025-12-03•1 article on news•6 live references•NVD data
CVE-2025-13486
Vulnerability data via CVEDB (Shodan)
CVSS v3.1
9.8
CRITICAL
EPSS percentile
99
Exploit Prediction Scoring System · top 1% of all CVEs
Description
The Advanced Custom Fields: Extended plugin for WordPress is vulnerable to Remote Code Execution in versions 0.9.0.5 through 0.9.1.1 via the prepare_form() function. This is due to the function accepting user input and then passing that through call_user_func_array(). This makes it possible for unauthenticated attackers to execute arbitrary code on the server, which can be leveraged to inject backdoors or create new administrative user accounts.
Timeline
Published 2025-12-03
External references
Search for exposed instances
Shodan + Censys queries derived from NVD's CPE data. The vuln tag catches assets Shodan has explicitly linked to this CVE; the product / banner fingerprints find exposed instances even when the vuln tag was never applied (which is common).
More intel sources (5)
Shodan report
vuln:CVE-2025-13486Country / ASN / product breakdown for the vuln query.
Censys
vulnerabilities.cve_id: CVE-2025-13486Censys host search filtered to this CVE id.
grep.app
CVE-2025-13486Public source-code mentions — fast PoC discovery.
GitHub code
CVE-2025-13486GitHub code search for direct mentions.
Google dork
"CVE-2025-13486" exploit -site:nvd.nist.govWrite-ups and news, NVD excluded.
Known PoCs on GitHub (8)
CVE-2025-134868 repos
0xanis/CVE-2025-13486-POCPython
POC for CVE-2025-13486
YuzeHao2023/daily-arxiv-ai4geoPython
🎓Automatically Update AI4Geo Papers Daily using Github Actions
lasthero-887/CVE-2025-13486---Pocunknown
0xgh057r3c0n/CVE-2025-13486Python
Advanced Custom Fields Extended (ACFE) WordPress Plugin Exploit RCE - Admin Creation
MataKucing-OFC/CVE-2025-13486Python
The Advanced Custom Fields: Extended plugin for WordPress is vulnerable to Remote Code Execution in versions 0.9.0.5 through 0.9.1.1 via the prepare_form() function.
whattheslime/CVE-2025-13486Python
CVE-2025-13486 - Remote Code Execution & Privilege Escalation exploit
imfht/cve-cnPython
AIGCVE 神龙精选 CVE 中文情报榜(每周自动更新,原站 cve.imfht.com)
Darkham42/starsunknown