CVE-2025-3491
No known patch is available for this vulnerability.
The affected plugin has been removed from the WordPress.org directory (reason: Security Issue), and no patched version is being distributed through the official directory. If you have the affected software installed, you should uninstall or replace it rather than wait for an update.
Description
An Administrator-level authenticated PHP code injection in the Add custom page template plugin for WordPress (≤2.0.1) allows remote code execution via the template_name parameter.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
An Administrator-level authenticated PHP code injection in the Add custom page template plugin for WordPress (≤2.0.1) allows remote code execution via the template_name parameter.
Vulnerability
Overview The Add custom page template plugin for WordPress, versions up to and including 2.0.1, suffers from a PHP code injection vulnerability in the acpt_validate_setting function. The template_name parameter is insufficiently sanitized, allowing an attacker to inject arbitrary PHP code. This flaw is present throughout the plugin's template handling logic but is most critical in the validation routine where user-supplied template names are used directly in a foreach loop that iterates over template files [1].
Exploitation and
Attack Surface Exploitation requires Administrator-level access or higher. An authenticated attacker can leverage the vulnerable function by providing a crafted template_name that contains PHP code. Because the code is injected during the processing of custom page templates, the injected code is executed on the server when the affected code path is triggered. The attack vector is through the plugin's administration interface, meaning no direct network exposure is needed beyond the WordPress admin panel [1].
Impact
Successful exploitation allows an attacker to execute arbitrary PHP code on the server. This can lead to complete site compromise, including data theft, privilege escalation, and potentially lateral movement if the server is part of a larger infrastructure. Given that the attacker already has Administrator-level privileges, the impact is amplified—they could use the RCE to bypass other security controls or maintain persistence [1].
Mitigation
Status As of the publication date (2025-04-26), no patched version has been released for this vulnerability. Users are advised to restrict access to the Administrator role, disable the plugin until a fix is available, or apply a web application firewall rule that filters the template_name parameter. Organisations should also monitor for signs of exploitation and consider whether the plugin's functionality is essential.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2<=2.0.1+ 1 more
- (no CPE)range: <=2.0.1
- (no CPE)range: <=2.0.1
Patches
0add-custom-page-templateThis plugin has been removed from the WordPress.org directory on 2025-04-24 (reason: Security Issue). No patched version is being distributed through the official directory. Users who have it installed should uninstall it.
Source: api.wordpress.org · directory page
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2News mentions
0No linked articles in our index yet.