CVE-2025-10380
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-09-23

Last updated on: 2025-09-24

Assigner: Wordfence

Description
The Advanced Views – Display Posts, Custom Fields, and More plugin for WordPress is vulnerable to Server-Side Template Injection in all versions up to, and including, 3.7.19. This is due to insufficient input sanitization and lack of access control when processing custom Twig templates in the Model panel. This makes it possible for authenticated attackers, with author-level access or higher, to execute arbitrary PHP code and commands on the server.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-09-23
Last Modified
2025-09-24
Generated
2026-06-16
AI Q&A
2025-09-23
EPSS Evaluated
2026-06-14
NVD
CVE-2025-10380
EUVD
EUVD-2025-30832
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
wordpress acf_views 3.7.19
wordpress advanced_views *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-1336 The product uses a template engine to insert or process externally-influenced input, but it does not neutralize or incorrectly neutralizes special elements or syntax that can be interpreted as template expressions or other code directives when processed by the engine.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a Server-Side Template Injection (SSTI) in the Advanced Views – Display Posts, Custom Fields, and More WordPress plugin (versions up to 3.7.19). It occurs because the plugin does not properly sanitize input and lacks access control when processing custom Twig templates in its Model panel. As a result, authenticated users with author-level access or higher can inject and execute arbitrary PHP code and commands on the server.

Impact Analysis

If exploited, this vulnerability allows an attacker with author-level access or higher to execute arbitrary PHP code on the server hosting the WordPress site. This can lead to full server compromise, data theft, defacement, installation of malware, or disruption of service.

Detection Guidance

Detection of this vulnerability involves identifying if the Advanced Views – Display Posts, Custom Fields, and More WordPress plugin is installed and running a vulnerable version (up to and including 3.7.19). Since the vulnerability allows authenticated users with author-level access or higher to execute arbitrary PHP code via custom Twig templates, monitoring for unusual template rendering or unexpected PHP execution is key. Specific commands to detect this vulnerability are not provided in the available resources. However, you can check the plugin version via WP-CLI with: `wp plugin list --format=json | jq '.[] | select(.name=="advanced-views")'` and verify if the version is 3.7.19 or lower. Additionally, monitoring web server logs for suspicious POST requests to the plugin's template processing endpoints or scanning for custom Twig template usage may help detect exploitation attempts. [1]

Mitigation Strategies

Immediate mitigation steps include updating the Advanced Views plugin to a version later than 3.7.19 where the vulnerability is fixed. If an update is not immediately available, restrict author-level and higher user access to trusted users only, as the vulnerability requires authenticated author-level access. Additionally, disable or restrict the use of custom Twig templates in the Model panel to prevent execution of arbitrary PHP code. Monitoring and logging for suspicious activity related to template rendering is also recommended. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-10380. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart