PT-2025-31977 · WordPress · Advanced Custom Fields Pro+1
Published
2025-08-05
·
Updated
2025-08-05
·
CVE-2012-10025
CVSS v4.0
10
Critical
| Vector | AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
Name of the Vulnerable Software and Affected Versions
Advanced Custom Fields (ACF) versions 3.5.1 and earlier
Description
The Advanced Custom Fields (ACF) plugin for Wordpress is susceptible to a remote file inclusion (RFI) issue in the core/actions/export.php file. When the
allow url include PHP configuration directive is enabled, an unauthenticated attacker can exploit the acf abspath POST parameter to include and execute arbitrary remote PHP code. This can lead to remote code execution within the web server's context, potentially resulting in a full system compromise.Recommendations
Versions prior to 3.5.1: Disable the
allow url include directive in the PHP configuration.Fix
RCE
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Acf
Advanced Custom Fields Pro