ACF plugin bug gives hackers admin on 50,000 WordPress sites
Published on January 20, 2026
A critical-severity vulnerability in the Advanced Custom Fields: Extended (ACF Extended) plugin for WordPress can be exploited remotely by unauthenticated attackers to obtain administrative permissions. [...]