QwikSec

Security Database

CVE

CWE

Training

CVE-2012-10025

Published: Aug 5, 2025

Modified: May 15, 2026

PUBLISHED

Description

The WordPress plugin Advanced Custom Fields (ACF) version 3.5.1 and below contains a remote file inclusion (RFI) vulnerability in core/actions/export.php. When the PHP configuration directive allow_url_include is enabled (default: Off), an unauthenticated attacker can exploit the acf_abspath POST parameter to include and execute arbitrary remote PHP code. This leads to remote code execution under the web server’s context, allowing full compromise of the host.

Vendor	Product	Versions
Advanced Custom Fields	WordPress Plugin	affected `0 - <= 3.5.1`

Weaknesses (CWE)

References

https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/unix/webapp/wp_advanced_custom_fields_exec.rb

exploit

https://www.exploit-db.com/exploits/23856

exploit

http://web.archive.org/web/20121223025326/http://secunia.com:80/advisories/51037

technical-description

exploit

https://www.tenable.com/plugins/nessus/63326

third-party-advisory

https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/advanced-custom-fields/advanced-custom-fields-351-remote-code-execution-via-remote-file-inclusion

third-party-advisory

https://wpscan.com/vulnerability/d132d93b-509c-490d-8001-87147ed28c5e/

third-party-advisory

https://wordpress.org/plugins/advanced-custom-fields/

product

https://www.vulncheck.com/advisories/wordpress-plugin-advanced-custom-fields-remote-file-inclusion

third-party-advisory

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.