automatic module_metadata_base.json update

jenkins-metasploit · jenkins-metasploit · commit 2bb30ba7a3ea · 2025-12-18T22:13:06.000Z
diff --git a/db/modules_metadata_base.json b/db/modules_metadata_base.json
@@ -121507,6 +121507,67 @@
     "session_types": false,
     "needs_cleanup": true
   },
+  "exploit_multi/http/wp_acf_extended_rce": {
+    "name": "WordPress ACF Extended Unauthenticated RCE via prepare_form()",
+    "fullname": "exploit/multi/http/wp_acf_extended_rce",
+    "aliases": [],
+    "rank": 600,
+    "disclosure_date": "2025-12-02",
+    "type": "exploit",
+    "author": [
+      "Marcin Dudek (dudekmar) - CERT.PL",
+      "Valentin Lobstein <chocapikk@leakix.net>"
+    ],
+    "description": "This module exploits an unauthenticated Remote Code Execution vulnerability in the\n          Advanced Custom Fields: Extended (ACF Extended) WordPress plugin versions 0.9.0.5\n          through 0.9.1.1. The vulnerability exists in the prepare_form() function of the\n          acfe_module_form_front_render class, which accepts user-controlled input via the\n          form[render] parameter and passes it directly to call_user_func_array() without\n          proper sanitization.\n\n          This exploit requires a WordPress page containing an ACF Extended form widget, which\n          exposes the required nonce token in the page's JavaScript. The NONCE_PAGE option\n          must be set to the path of such a page.\n\n          Once an administrator account is created via wp_insert_user(), the module uploads\n          and executes a malicious plugin to achieve remote code execution (RCE).",
+    "references": [
+      "CVE-2025-13486",
+      "URL-https://www.wordfence.com/blog/2025/12/100000-wordpress-sites-affected-by-remote-code-execution-vulnerability-in-advanced-custom-fields-extended-wordpress-plugin/"
+    ],
+    "platform": "Linux,PHP,Unix,Windows",
+    "arch": "php, cmd",
+    "rport": 80,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "PHP In-Memory",
+      "Unix/Linux Command Shell",
+      "Windows Command Shell"
+    ],
+    "mod_time": "2025-12-09 21:07:01 +0000",
+    "path": "/modules/exploits/multi/http/wp_acf_extended_rce.rb",
+    "is_install_path": true,
+    "ref_name": "multi/http/wp_acf_extended_rce",
+    "check": true,
+    "post_auth": true,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "ioc-in-logs",
+        "artifacts-on-disk"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": true
+  },
   "exploit_multi/http/wp_ai_engine_mcp_rce": {
     "name": "WordPress AI Engine Plugin MCP Unauthenticated Admin Creation to RCE",
     "fullname": "exploit/multi/http/wp_ai_engine_mcp_rce",
