### [CVE-2012-10025](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-10025)
![](https://img.shields.io/static/v1?label=Product&message=WordPress%20Plugin&color=blue)
![](https://img.shields.io/static/v1?label=Version&message=*%20&color=brightgreen)
![](https://img.shields.io/static/v1?label=Vulnerability&message=CWE-98%20Improper%20Control%20of%20Filename%20for%20Include%2FRequire%20Statement%20in%20PHP%20Program%20('PHP%20Remote%20File%20Inclusion')&color=brightgreen)

### Description

The WordPress plugin Advanced Custom Fields (ACF) version 3.5.1 and below contains a remote file inclusion (RFI) vulnerability in core/actions/export.php. When the PHP configuration directive allow_url_include is enabled (default: Off), an unauthenticated attacker can exploit the acf_abspath POST parameter to include and execute arbitrary remote PHP code. This leads to remote code execution under the web server’s context, allowing full compromise of the host.

### POC

#### Reference
- https://www.exploit-db.com/exploits/23856
- https://www.vulncheck.com/advisories/wordpress-plugin-advanced-custom-fields-remote-file-inclusion

#### Github
- https://github.com/ARPSyndicate/cve-scores