Critical severityNVD Advisory· Published Aug 5, 2025· Updated Apr 15, 2026

CVE-2012-10025

Description

The WordPress plugin Advanced Custom Fields (ACF) version 3.5.1 and below contains a remote file inclusion (RFI) vulnerability in core/actions/export.php. When the PHP configuration directive allow_url_include is enabled (default: Off), an unauthenticated attacker can exploit the acf_abspath POST parameter to include and execute arbitrary remote PHP code. This leads to remote code execution under the web server’s context, allowing full compromise of the host.

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

web.archive.org/web/20121223025326/http://secunia.com:80/advisories/51037nvd
raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/unix/webapp/wp_advanced_custom_fields_exec.rbnvd
wordpress.org/plugins/advanced-custom-fields/nvd
wpscan.com/vulnerability/d132d93b-509c-490d-8001-87147ed28c5e/nvd
www.exploit-db.com/exploits/23856nvd
www.tenable.com/plugins/nessus/63326nvd
www.vulncheck.com/advisories/wordpress-plugin-advanced-custom-fields-remote-file-inclusionnvd
www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/advanced-custom-fields/advanced-custom-fields-351-remote-code-execution-via-remote-file-inclusionnvd

News mentions

No linked articles in our index yet.

cvss	0.585
epss	0.040
exploit	0.030
kev	0.000
patch	0.000
ransomware	0.000