Server-Side Template Injection in Advanced Views Plugin for WordPress
CVE-2025-10380

8.8HIGH

Key Information:

Vendor: WordPress
Status: Advanced Views – Display Posts, Custom Fields, And More
Vendor: CVE Published:; 23 September 2025

What is CVE-2025-10380?

The Advanced Views – Display Posts, Custom Fields, and More plugin for WordPress is vulnerable to Server-Side Template Injection in all versions up to and including 3.7.19. This vulnerability arises due to inadequate input sanitization and a lack of access control during the processing of custom Twig templates in the Model panel. Authenticated attackers with author-level access or higher can exploit this issue to execute arbitrary PHP code on the server, potentially compromising the site's security.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

Advanced Views – Display Posts, Custom Fields, and More * <= 3.7.19

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/acf-views/tags...

https://plugins.trac.wordpress.org/changeset?sfp_email=&s...

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Sep 23, 2025
Vulnerability Reserved
Sep 12, 2025

Credit

Aurélien BOURDOIS

JSON

WordPress

What is CVE-2025-10380?

Human OS v1.0: Ageing Is an Unpatched Zero-Day Vulnerability.

Affected Version(s)

References

CVSS V3.1

Timeline

Credit

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.