CRITICAL🇵🇱 Wersja polska

CVE-2012-10025

CVSS 10.0v4.0pub. 2025-08-05upd. 2026-04-15

The WordPress plugin Advanced Custom Fields (ACF) version 3.5.1 and below contains a remote file inclusion (RFI) vulnerability in core/actions/export.php. When the PHP configuration directive allow_url_include is enabled (default: Off), an unauthenticated attacker can exploit the acf_abspath POST parameter to include and execute arbitrary remote PHP code. This leads to remote code execution under the web server’s context, allowing full compromise of the host.

🤖 AI Analysis
How it works

The vulnerability is located in the file core/actions/export.php and involves uncontrolled use of the POST parameter acf_abspath to include a PHP file. If the PHP configuration directive allow_url_include is enabled on the server (disabled by default), an attacker can provide a URL in the parameter pointing to a remote malicious PHP file. The server downloads and executes this file in the context of the web server process, leading to complete arbitrary code execution (RCE). The attack requires no authentication.

Impact

An attacker can execute arbitrary code in the context of the web server, which in practice means complete takeover of the host — including reading and modifying data, installing backdoors, and lateral movement within the internal network.

Mitigation & patch

The Advanced Custom Fields plugin must be immediately updated to a version higher than 3.5.1 according to information available in the WordPress repository. Regardless of the update, ensure that the allow_url_include directive in the PHP configuration is set to Off, which eliminates the exploitation vector for this specific vulnerability.

Who is affected

WordPress plugin Advanced Custom Fields (ACF) version 3.5.1 and all earlier versions; the vulnerability is exploitable only when the PHP directive allow_url_include is enabled (disabled by default).

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
RCEAuth Bypass
CWE
References