CVE-2025-3491

Name of the Vulnerable Software and Affected Versions Add custom page template plugin for WordPress versions up to, and including, 2.0.1

Description The issue is related to PHP Code Injection leading to Remote Code Execution due to insufficient sanitization of the template name parameter. This is possible via the acpt validate setting function, allowing authenticated attackers with Administrator-level access and above to execute code on the server.

Recommendations For Add custom page template plugin for WordPress versions up to, and including, 2.0.1, update to a version higher than 2.0.1 to resolve the issue. As a temporary workaround, consider disabling the acpt validate setting function until a patch is available. Restrict access to the template name parameter to minimize the risk of exploitation.