CVE-2012-10025

05.08.2025, 20:15

The WordPress plugin Advanced Custom Fields (ACF) version 3.5.1 and below contains a remote file inclusion (RFI) vulnerability in core/actions/export.php. When the PHP configuration directive allow_url_include is enabled (default: Off), an unauthenticated attacker can exploit the acf_abspath POST parameter to include and execute arbitrary remote PHP code. This leads to remote code execution under the web servers context, allowing full compromise of the host.

PHP Remote File Inclusion

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	UNKNOWN				---
VulnCheck	CNA	---				---

Awaiting analysis

This vulnerability is currently awaiting analysis.

Base Score

CVSS 3.x

EPSS Score

Percentile: Unknown

Common Weakness Enumeration

CWE-98 - Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
The PHP application receives input from an upstream component, but it does not restrict or incorrectly restricts the input before its usage in "require," "include," or similar functions.

References

http://web.archive.org/web/20121223025326/http://secunia.com:80/advisories/51037

https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/unix/webapp/wp_advanced_custom_fields_exec.rb

https://wordpress.org/plugins/advanced-custom-fields/

https://wpscan.com/vulnerability/d132d93b-509c-490d-8001-87147ed28c5e/

https://www.exploit-db.com/exploits/23856

https://www.tenable.com/plugins/nessus/63326

https://www.vulncheck.com/advisories/wordpress-plugin-advanced-custom-fields-remote-file-inclusion

https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/advanced-custom-fields/advanced-custom-fields-351-remote-code-execution-via-remote-file-inclusion