Critical WordPress Plugin Vulnerability Exposes 100,000+ Websites to Privilege Escalation Attacks

A critical privilege-escalation vulnerability (CVE-2025-14533, CVSS 9.8) in the Advanced Custom Fields:Extended WordPress plugin allows unauthenticated attackers to assign themselves the administrator role via the plugin's insert_user form action. The flaw affects versions ≤0.9.2.1 (over 100,000 active installations) and has been fixed in 0.9.2.2; administrators are urged to update immediately and apply available mitigations.