WP Engine Advanced Custom Fields
Moderate fix1 remedy
cpe:2.3:a:advancedcustomfields:advanced_custom_fields:*:*:*:*:wordpress:*:*
Moderate fix1 remedy
- <= 3.5.1
Actively Exploited in the Wild
This vulnerability is being actively exploited in the wild.
WordPress Plugin Advanced Custom Fields Remote File Inclusion Vulnerability
Vulnerability
Exploited
Patched
A remote file inclusion vulnerability has been identified in the WordPress plugin Advanced Custom Fields (ACF) versions through 3.5.1. The issue resides in the core/actions/export.php file, where the 'acf_abspath' POST parameter can be exploited to include and execute arbitrary remote PHP code. This vulnerability is only exploitable when the PHP 'allow_url_include' directive is enabled, allowing remote files to be included and executed on the server.
Impact
Exploitation of this vulnerability allows for remote code execution on the affected server, under the web server's user context, potentially leading to a full compromise of the host.
Reproduction
To reproduce this vulnerability, send a POST request to 'wp-content/plugins/advanced-custom-fields/core/actions/export.php' with the 'acf_abspath' parameter set to a URL of a remote PHP file. Ensure that the 'allow_url_include' directive is enabled in the PHP configuration.
Remediation
Users are advised to update the Advanced Custom Fields plugin to version 3.5.2 or later.
Added: Aug 5, 2025, 9:30 PM
Updated: Aug 5, 2025, 9:30 PM
Vulnerability Rating
Custom Algorithm
spread
6.4impact
10.0exploitability
10.0remediation
7.7relevance
0.3threat
9.3urgency
2.9incentive
10.0Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.