CVE-2025-10380
BaseFortify
Publication date: 2025-09-23
Last updated on: 2025-09-24
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wordpress | acf_views | 3.7.19 |
| wordpress | advanced_views | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-1336 | The product uses a template engine to insert or process externally-influenced input, but it does not neutralize or incorrectly neutralizes special elements or syntax that can be interpreted as template expressions or other code directives when processed by the engine. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a Server-Side Template Injection (SSTI) in the Advanced Views β Display Posts, Custom Fields, and More WordPress plugin (versions up to 3.7.19). It occurs because the plugin does not properly sanitize input and lacks access control when processing custom Twig templates in its Model panel. As a result, authenticated users with author-level access or higher can inject and execute arbitrary PHP code and commands on the server.
How can this vulnerability impact me? :
If exploited, this vulnerability allows an attacker with author-level access or higher to execute arbitrary PHP code on the server hosting the WordPress site. This can lead to full server compromise, data theft, defacement, installation of malware, or disruption of service.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves identifying if the Advanced Views β Display Posts, Custom Fields, and More WordPress plugin is installed and running a vulnerable version (up to and including 3.7.19). Since the vulnerability allows authenticated users with author-level access or higher to execute arbitrary PHP code via custom Twig templates, monitoring for unusual template rendering or unexpected PHP execution is key. Specific commands to detect this vulnerability are not provided in the available resources. However, you can check the plugin version via WP-CLI with: `wp plugin list --format=json | jq '.[] | select(.name=="advanced-views")'` and verify if the version is 3.7.19 or lower. Additionally, monitoring web server logs for suspicious POST requests to the plugin's template processing endpoints or scanning for custom Twig template usage may help detect exploitation attempts. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include updating the Advanced Views plugin to a version later than 3.7.19 where the vulnerability is fixed. If an update is not immediately available, restrict author-level and higher user access to trusted users only, as the vulnerability requires authenticated author-level access. Additionally, disable or restrict the use of custom Twig templates in the Model panel to prevent execution of arbitrary PHP code. Monitoring and logging for suspicious activity related to template rendering is also recommended. [1]