Server-Side Template Injection in Advanced Views Plugin for WordPress
CVE-2025-10380

8.8HIGH

Key Information:

Vendor: WordPress
Status: Advanced Views – Display Posts, Custom Fields, And More
Vendor: CVE Published:; 23 September 2025

What is CVE-2025-10380?

The Advanced Views – Display Posts, Custom Fields, and More plugin for WordPress is vulnerable to Server-Side Template Injection in all versions up to and including 3.7.19. This vulnerability arises due to inadequate input sanitization and a lack of access control during the processing of custom Twig templates in the Model panel. Authenticated attackers with author-level access or higher can exploit this issue to execute arbitrary PHP code on the server, potentially compromising the site's security.

Affected Version(s)

Advanced Views – Display Posts, Custom Fields, and More * <= 3.7.19

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/acf-views/tags...

https://plugins.trac.wordpress.org/changeset?sfp_email=&s...

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Sep 23, 2025
Vulnerability Reserved
Sep 12, 2025

Credit

Aurélien BOURDOIS

JSON