ACF plugin bug gives hackers admin on 50,000 WordPress sites

A critical privilege-escalation flaw (CVE-2025-14533) in the ACF Extended WordPress plugin allowed unauthenticated attackers to set user roles arbitrarily via the ‘Insert User/Update User’ form, potentially granting administrator access to many sites; the vendor released a fix in v0.9.2.2, but approximately 50,000 sites may remain exposed. The report also highlights widespread WordPress plugin enumeration activity and notes active exploitation of other plugin vulnerabilities.