Add Custom Page Template WordPress Plugin PHP Code Injection Vulnerability Allowing Remote Code Execution

Vulnerability

A vulnerability allowing PHP code injection has been identified in the Add Custom Page Template plugin for WordPress, in all versions through 2.0.1. This vulnerability arises from inadequate sanitization of the 'template_name' parameter in the 'acpt_validate_setting' function. As a result, authenticated attackers with Administrator-level access can execute arbitrary code on the server.

Impact

Exploitation of this vulnerability allows for authenticated users with Administrator privileges to execute arbitrary PHP code on the server, potentially leading to full site compromise.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

10.0

exploitability

5.5

remediation

0.0

relevance

0.0

threat

3.2

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

10.0

exploitability

5.5

remediation

0.0

relevance

0.0

threat

3.2

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Add Custom Page Template WordPress Plugin PHP Code Injection Vulnerability Allowing Remote Code Execution

Vulnerability

Impact

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating