Remote File Inclusion in Advanced Custom Fields Plugin Affects WordPress Vendor
CVE-2012-10025
Key Information:
- Vendor
WordPress
- Status
- Vendor
- CVE Published:
- 5 August 2025
Badges
What is CVE-2012-10025?
The Advanced Custom Fields plugin for WordPress, specifically versions up to 3.5.1, is susceptible to a Remote File Inclusion vulnerability located in core/actions/export.php. When the PHP directive allow_url_include is enabled, an unauthenticated attacker can exploit the acf_abspath POST parameter to include and execute arbitrary PHP code from a remote server. This exploitation poses significant risks as it could lead to a full compromise of the web host, allowing attackers to manipulate, steal data, or use the server for further malicious activities.
Affected Version(s)
WordPress Plugin * <= 3.5.1
Exploit Proof of Concept (PoC)
PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.
References
CVSS V4
Timeline
- 🟡
Public PoC available
- 👾
Exploit known to exist
Vulnerability published
Vulnerability Reserved