High severity8.8NVD Advisory· Published Sep 23, 2025· Updated Apr 15, 2026

CVE-2025-10380

Description

The Advanced Views – Display Posts, Custom Fields, and More plugin for WordPress is vulnerable to Server-Side Template Injection in all versions up to, and including, 3.7.19. This is due to insufficient input sanitization and lack of access control when processing custom Twig templates in the Model panel. This makes it possible for authenticated attackers, with author-level access or higher, to execute arbitrary PHP code and commands on the server.

Affected products

WordPress/Acf Viewsinferred
Range: <=3.7.19
Package: https://wordpress.org/plugins/acf-views

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

plugins.trac.wordpress.org/browser/acf-views/tags/3.7.19/src/Template_Engines/Twig.phpnvd
plugins.trac.wordpress.org/changesetnvd
www.wordfence.com/threat-intel/vulnerabilities/id/52b04517-f0be-4bbf-818c-70a12d76bfecnvd

News mentions

No linked articles in our index yet.

cvss	0.572
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000