CalvinBackup/CVEs-PoC
1
0
Fork 0
mirror of https://github.com/0xMarcio/cve.git synced 2026-05-24 20:04:01 +02:00
Code Issues Packages Projects Releases Wiki Activity
Files
dc2e8bb0307cf6efe547b3a58fdbde0aefbc88b2
CVEs-PoC/2012/CVE-2012-10025.md
T
0xMarcio cb00e1339f Update CVE list 2025-09-29 21:09
2025-09-29 21:09:30 +02:00

19 lines
1.2 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
### [CVE-2012-10025](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-10025)
![](https://img.shields.io/static/v1?label=Product&message=WordPress%20Plugin&color=blue)
![](https://img.shields.io/static/v1?label=Version&message=*%20&color=brightgreen)
![](https://img.shields.io/static/v1?label=Vulnerability&message=CWE-98%20Improper%20Control%20of%20Filename%20for%20Include%2FRequire%20Statement%20in%20PHP%20Program%20('PHP%20Remote%20File%20Inclusion')&color=brightgreen)
### Description
The WordPress plugin Advanced Custom Fields (ACF) version 3.5.1 and below contains a remote file inclusion (RFI) vulnerability in core/actions/export.php. When the PHP configuration directive allow_url_include is enabled (default: Off), an unauthenticated attacker can exploit the acf_abspath POST parameter to include and execute arbitrary remote PHP code. This leads to remote code execution under the web servers context, allowing full compromise of the host.
### POC
#### Reference
- https://www.exploit-db.com/exploits/23856
- https://www.vulncheck.com/advisories/wordpress-plugin-advanced-custom-fields-remote-file-inclusion
#### Github
- https://github.com/ARPSyndicate/cve-scores
Reference in New Issue View Git Blame Copy Permalink