CVE-2012-10025 in Advanced Custom Fields Plugin
Summary
by MITRE • 08/05/2025
The WordPress plugin Advanced Custom Fields (ACF) version 3.5.1 and below contains a remote file inclusion (RFI) vulnerability in core/actions/export.php. When the PHP configuration directive allow_url_include is enabled (default: Off), an unauthenticated attacker can exploit the acf_abspath POST parameter to include and execute arbitrary remote PHP code. This leads to remote code execution under the web server’s context, allowing full compromise of the host.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 08/06/2025
The vulnerability identified as CVE-2012-10025 affects the Advanced Custom Fields plugin for WordPress, specifically targeting versions 3.5.1 and earlier. This represents a critical remote file inclusion flaw that exists within the plugin's core/actions/export.php file, making it a significant security concern for WordPress installations. The vulnerability stems from inadequate input validation and sanitization of user-supplied parameters, particularly the acf_abspath POST parameter that is processed without proper security checks.
The technical exploitation of this vulnerability occurs through the manipulation of the acf_abspath parameter within the POST request to the export.php endpoint. When an attacker successfully injects malicious file paths into this parameter, they can leverage the allow_url_include PHP directive to execute arbitrary code on the target server. Even though the default PHP configuration has allow_url_include set to Off, the vulnerability exists in the code logic itself, creating a potential attack vector that could be exploited through other means or configuration weaknesses. This flaw operates under the principle of insecure direct object reference and improper input validation, which are classified under CWE-22 and CWE-94 respectively in the Common Weakness Enumeration catalog.
The operational impact of this vulnerability is severe as it allows unauthenticated remote code execution under the web server's privileges, effectively granting attackers complete control over the compromised host. This level of access enables malicious actors to perform various harmful activities including data exfiltration, server compromise, privilege escalation, and potential lateral movement within the network. The vulnerability affects the integrity and confidentiality of the WordPress installation, as attackers can modify content, steal sensitive information, or establish persistent backdoors. From an attacker's perspective, this vulnerability aligns with ATT&CK technique T1059.007 for command and scripting interpreter and T1566 for credential harvesting, providing a foundation for further exploitation.
Mitigation strategies for this vulnerability involve immediate patching of the Advanced Custom Fields plugin to version 3.5.2 or later, which contains the necessary security fixes. Administrators should also implement proper input validation and sanitization measures to prevent similar issues in other custom code implementations. The WordPress core team recommends disabling allow_url_include in PHP configurations as an additional protective measure, though the primary defense remains applying the official security patches. Network-level protections such as web application firewalls and intrusion detection systems can help detect and block exploitation attempts, while regular security audits and vulnerability assessments should be conducted to identify similar issues in other plugins and themes. The vulnerability demonstrates the critical importance of keeping CMS platforms and their extensions updated, as well as following secure coding practices that prevent direct object reference vulnerabilities and improper input handling.