CVE-2012-10025

216.73.216.233

· Published 05/08/2025 20:15 · Modified 05/08/2025 21:06

Labels: CVE-2012-10025 2025-08-05 CVE-2012-10025 CWE-98 [email protected]

Essential information

Published: 05/08/2025 20:15
Modified: 05/08/2025 21:06
Author: —
Creator: —
CVSS: 10.0 CRITICAL (v3) 10.0 CRITICAL (v4.0)
CISA KEV: No
CWE: —
CVSS vector: —

CVSS metrics

Description

The WordPress plugin Advanced Custom Fields (ACF) version 3.5.1 and below contains a remote file inclusion (RFI) vulnerability in core/actions/export.php. When the PHP configuration directive allow_url_include is enabled (default: Off), an unauthenticated attacker can exploit the acf_abspath POST parameter to include and execute arbitrary remote PHP code. This leads to remote code execution under the web server’s context, allowing full compromise of the host.

NVD status

Status: Awaiting Analysis — CVE has been marked for Analysis. Normally once in this state the CVE will be analyzed by NVD staff within 24 hours.
Source: [email protected]
NVD: View on NVD

Affected products (CPE)

Product	CPE
wordpress / advanced custom fields	`cpe:2.3:a:wordpress:advanced_custom_fields:<3.5.1:::::::*`