CVE-2012-10025

The WordPress plugin Advanced Custom Fields (ACF) version 3.5.1 and below contains a remote file inclusion (RFI) vulnerability in core/actions/export.php. When the PHP configuration directive allow_url_include is enabled (default: Off), an unauthenticated attacker can exploit the acf_abspath POST parameter to include and execute arbitrary remote PHP code. This leads to remote code execution under the web server’s context, allowing full compromise of the host.

The WordPress plugin Advanced Custom Fields (ACF) version 3.5.1 and below contains a remote file inclusion (RFI) vulnerability in core/actions/export.php. When the PHP configuration directive allow_url_include is enabled (default: Off), an unauthenticated attacker can exploit the acf_abspath POST parameter to include and execute arbitrary remote PHP code. This leads to remote code execution under the web server’s context, allowing full compromise of the host.

El complemento Advanced Custom Fields (ACF) para Wordpress versión 3.5.1 y anteriores, contiene una vulnerabilidad de inclusión remota de archivos (RFI) en core/actions/export.php. Cuando la directiva de configuración de PHP allow_url_include está habilitada (desactivada por defecto), un atacante no autenticado puede explotar el parámetro POST acf_abspath para incluir y ejecutar código PHP remoto arbitrario. Esto provoca la ejecución remota de código en el contexto del servidor web, lo que permite la vulneración total del host.