mirror of
https://github.com/0xMarcio/cve.git
synced 2026-02-12 18:42:46 +00:00
1.2 KiB
1.2 KiB
CVE-2012-10025
&color=brightgreen)
Description
The WordPress plugin Advanced Custom Fields (ACF) version 3.5.1 and below contains a remote file inclusion (RFI) vulnerability in core/actions/export.php. When the PHP configuration directive allow_url_include is enabled (default: Off), an unauthenticated attacker can exploit the acf_abspath POST parameter to include and execute arbitrary remote PHP code. This leads to remote code execution under the web server’s context, allowing full compromise of the host.
POC
Reference
- https://www.exploit-db.com/exploits/23856
- https://www.vulncheck.com/advisories/wordpress-plugin-advanced-custom-fields-remote-file-inclusion