cbcvebase.
CVE-2012-10025
published 2025-08-05

CVE-2012-10025: The WordPress plugin Advanced Custom Fields (ACF) version 3.5.1 and below contains a remote file inclusion (RFI) vulnerability in core/actions/export.php. When…

PriorityP272critical10CVSS 4.0
AVNACLATNPRNUINVCHVIHVAHSCHSIHSAHEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
EXPLOIT
EPSS
1.22%
65.0th percentile
The WordPress plugin Advanced Custom Fields (ACF) version 3.5.1 and below contains a remote file inclusion (RFI) vulnerability in core/actions/export.php. When the PHP configuration directive allow_url_include is enabled (default: Off), an unauthenticated attacker can exploit the acf_abspath POST parameter to include and execute arbitrary remote PHP code. This leads to remote code execution under the web server’s context, allowing full compromise of the host.

Affected

1 ranges
VendorProductVersion rangeFixed in
advanced_custom_fieldswordpress_plugin<= 3.5.1

Detection & IOCsextracted from sources · hover to see the quote

pathcore/actions/export.php
otherPOST parameter: acf_abspath
  • Monitor POST requests targeting the export.php script within the Advanced Custom Fields plugin path for external URLs in the acf_abspath parameter, which would indicate an RFI attempt.
  • Flag any POST request where the acf_abspath parameter contains an http:// or https:// URL, as this is the injection vector for remote code execution.
  • Exploitation is only possible when the PHP directive allow_url_include is enabled; audit PHP configurations for this setting as a risk indicator.
  • ·Exploitation requires the non-default PHP configuration directive allow_url_include to be enabled; the vulnerability is NOT exploitable in default PHP installations.
  • ·Only Advanced Custom Fields plugin versions 3.5.1 and below are affected; detections should be scoped accordingly.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.