CVE-2012-10025

WordPress Plugin Advanced Custom Fields <= 3.5.1 Remote File Inclusion

Description

The WordPress plugin Advanced Custom Fields (ACF) version 3.5.1 and below contains a remote file inclusion (RFI) vulnerability in core/actions/export.php. When the PHP configuration directive allow_url_include is enabled (default: Off), an unauthenticated attacker can exploit the acf_abspath POST parameter to include and execute arbitrary remote PHP code. This leads to remote code execution under the web server’s context, allowing full compromise of the host.

INFO

Published Date :

2025-08-05T20:06:00.838Z

Last Modified :

2025-08-07T15:12:47.309Z

Source :

VulnCheck

AFFECTED PRODUCTS

The following products are affected by CVE-2012-10025 vulnerability.

Vendors	Products
Advanced Custom Fields	Advanced Custom Fields Wordpress Plugin
Wordpress	Wordpress

REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2012-10025.

URL	Resource
http://web.archive.org/web/20121223025326/http://secunia.com:80/advisories/51037
https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/unix/webapp/wp_advanced_custom_fields_exec.rb
https://wordpress.org/plugins/advanced-custom-fields/
https://wpscan.com/vulnerability/d132d93b-509c-490d-8001-87147ed28c5e/
https://www.exploit-db.com/exploits/23856
https://www.tenable.com/plugins/nessus/63326
https://www.vulncheck.com/advisories/wordpress-plugin-advanced-custom-fields-remote-file-inclusion
https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/advanced-custom-fields/advanced-custom-fields-351-remote-code-execution-via-remote-file-inclusion

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.

Attack Vector

Attack Complexity

Attack Requirements

Privileges Required

User Interaction

VS Confidentiality

VS Integrity

VS Availability

SS Confidentiality

SS Integrity

SS Availability