CVE-2012-10025 CRITICAL

CVE-2012-10025: WordPress Plugin Advanced Custom Fields <= 3.5.1 Remote File Inclusion

Vendor Advanced Custom Fields
Product WordPress Plugin
Weakness CWE-98 · PHP file inclusion
Published August 5, 2025
Last update May 15, 2026
View on NVD All CVEs

CVSS base score

10.0/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

What the vulnerability does

01Description

The WordPress plugin Advanced Custom Fields (ACF) version 3.5.1 and below contains a remote file inclusion (RFI) vulnerability in core/actions/export.php. When the PHP configuration directive allow_url_include is enabled (default: Off), an unauthenticated attacker can exploit the acf_abspath POST parameter to include and execute arbitrary remote PHP code. This leads to remote code execution under the web server’s context, allowing full compromise of the host.

Key dates

02Disclosure timeline

August 5, 2025 CVE published
May 15, 2026 Record updated

Related vulnerabilities

04Related CVE

CVE-2026-32503 WordPress Trendustry theme <= 1.1.4 - Local File Inclusion vulnerability CVE-2025-53227 WordPress Magazine Saga Theme <= 1.2.7 - Local File Inclusion Vulnerability CVE-2026-24538 WordPress Omnipress plugin <= 1.6.7 - Local File Inclusion vulnerability CVE-2025-30785 WordPress Subscribe to Download Lite plugin <= 1.2.9 - Local File Inclusion Vulnerability CVE-2025-47576 WordPress Bimber - Viral Magazine WordPress Theme theme <= 9.2.5 - Local File Inclusion vulnerability