CVE-2012-10025

CRITICAL

ACF <3.5.1 - RCE

Title source: llm

Description

The WordPress plugin Advanced Custom Fields (ACF) version 3.5.1 and below contains a remote file inclusion (RFI) vulnerability in core/actions/export.php. When the PHP configuration directive allow_url_include is enabled (default: Off), an unauthenticated attacker can exploit the acf_abspath POST parameter to include and execute arbitrary remote PHP code. This leads to remote code execution under the web server’s context, allowing full compromise of the host.

Exploits (2)

exploitdb WORKING POC VERIFIED

by Metasploit · rubyremotephp

https://www.exploit-db.com/exploits/23856

View Code ZIP pw:eip

metasploit WORKING POC EXCELLENT

rubypocphp

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/webapp/wp_advanced_custom_fields_exec.rb

View Code ZIP pw:eip

References (8)

[Third Party Advisory] http://web.archive.org/web/20121223025326/http://secunia.com:80/advisories/51037

[Various Sources] https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/unix/webapp/wp_advanced_custom_fields_exec.rb

[Product] https://wordpress.org/plugins/advanced-custom-fields/

[Exploit, Third Party Advisory] https://www.exploit-db.com/exploits/23856

[Third Party Advisory] https://www.tenable.com/plugins/nessus/63326

[Third Party Advisory] https://www.vulncheck.com/advisories/wordpress-plugin-advanced-custom-fields-remote-file-inclusion

[Third Party Advisory] https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/advanced-custom-fields/advanced-custom-fields-351-remote-code-execution-via-remote-file-inclusion

[Third Party Advisory] https://wpscan.com/vulnerability/d132d93b-509c-490d-8001-87147ed28c5e/

Scores

CVSS v4 10.0

EPSS 0.5018

EPSS Percentile 97.8%

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Details

CWE

CWE-98

Status published

Products (1)

Advanced Custom Fields/WordPress Plugin < 3.5.1

Published Aug 05, 2025

Tracked Since Feb 18, 2026