CVE-2012-10025

Exploitation Summary

EIP tracks 2 public exploits for CVE-2012-10025. PoCs published by Metasploit, including Metasploit module exploits/unix/webapp/wp_advanced_custom_fields_exec.

AI-analyzed exploit summary This Metasploit module exploits a remote file inclusion vulnerability in the WordPress Advanced Custom Fields plugin (versions 3.5.1 and below) via the export.php script, allowing remote code execution when allow_url_include is enabled.

Description

The WordPress plugin Advanced Custom Fields (ACF) version 3.5.1 and below contains a remote file inclusion (RFI) vulnerability in core/actions/export.php. When the PHP configuration directive allow_url_include is enabled (default: Off), an unauthenticated attacker can exploit the acf_abspath POST parameter to include and execute arbitrary remote PHP code. This leads to remote code execution under the web server’s context, allowing full compromise of the host.

Exploits (2)

exploitdb WORKING POC VERIFIED

by Metasploit · rubyremotephp

https://www.exploit-db.com/exploits/23856

View Code ZIP pw:eip

This Metasploit module exploits a remote file inclusion vulnerability in the WordPress Advanced Custom Fields plugin (versions 3.5.1 and below) via the export.php script, allowing remote code execution when allow_url_include is enabled.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: WordPress Advanced Custom Fields plugin <= 3.5.1

No auth needed

Prerequisites: allow_url_include enabled in PHP configuration · Target running vulnerable plugin version

MITRE ATT&CK

T1189 - Drive-by Compromise T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →

metasploit WORKING POC EXCELLENT

rubypocphp

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/webapp/wp_advanced_custom_fields_exec.rb