Vulnerability in Advanced Custom Fields Wordpress Plugin
CVE-2012-10025
The WordPress plugin Advanced Custom Fields (ACF) version 3.5.1 and below contains a remote file inclusion (RFI) vulnerability in core/actions/export.php. When the PHP configuration directive allow_url_include is enabled (default: Off), an…
EPSS: 0.640 (98.5th percentile) — read the EPSS interpretation.
Affected products
- Advanced Custom Fields Wordpress Plugin — versions 0
Weakness classification (CWE)
Public proof-of-concept exploits
References
- raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/u… (exploit)
- www.exploit-db.com/exploits/23856 (exploit)
- web.archive.org/web/20121223025326/http://secunia.com:80/advisories/51037 (technical-description, exploit)
- www.tenable.com/plugins/nessus/63326 (third-party-advisory)
- www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/advanced-custo… (third-party-advisory)
- wpscan.com/vulnerability/d132d93b-509c-490d-8001-87147ed28c5e/ (third-party-advisory)
- wordpress.org/plugins/advanced-custom-fields/ (product)
- www.vulncheck.com/advisories/wordpress-plugin-advanced-custom-fields-remote-fil… (third-party-advisory)
Frequently asked questions
- What is CVE-2012-10025?
- CVE-2012-10025 is a vulnerability in Advanced Custom Fields Wordpress Plugin, classified under PHP Remote File Inclusion. Published 2025-08-05.
- Is CVE-2012-10025 known to be exploited?
- 2 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.