CVE-2025-10380
📋 TL;DR
This vulnerability in the Advanced Views WordPress plugin allows authenticated attackers with author-level access or higher to execute arbitrary PHP code and commands on the server through server-side template injection. It affects all versions up to 3.7.19 due to insufficient input sanitization in Twig template processing. WordPress sites using this plugin are at risk of complete server compromise.
💻 Affected Systems
- Advanced Views – Display Posts, Custom Fields, and More WordPress plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete server takeover with attacker gaining full control over the web server, database access, and ability to pivot to other systems on the network.
Likely Case
Website defacement, data theft, malware installation, and creation of backdoors for persistent access.
If Mitigated
Limited impact if proper access controls and input validation are in place, but still significant risk due to authenticated access requirement.
🎯 Exploit Status
Exploitation requires authenticated access but is straightforward once attacker has author-level credentials. The vulnerability is well-documented in security advisories.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.7.20 or later
Vendor Advisory: https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3364566%40acf-views&new=3364566%40acf-views&sfp_email=&sfph_mail=
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Advanced Views' plugin. 4. Click 'Update Now' if update is available. 5. Alternatively, download version 3.7.20+ from WordPress plugin repository and manually update.
🔧 Temporary Workarounds
Disable plugin temporarily
allDeactivate the Advanced Views plugin until patched
wp plugin deactivate acf-views
Restrict user roles
linuxTemporarily remove author-level access from untrusted users
wp user list --role=author --field=ID | xargs wp user set-role subscriber
🧯 If You Can't Patch
- Implement strict access controls and review all author-level user accounts
- Deploy web application firewall rules to block template injection patterns
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel → Plugins → Advanced Views → Version number. If version is 3.7.19 or lower, you are vulnerable.Check Version:
wp plugin get acf-views --field=versionVerify Fix Applied:
After updating, verify plugin version shows 3.7.20 or higher in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to admin-ajax.php with template parameters
- PHP execution attempts in uploads or cache directories
- Multiple failed login attempts followed by successful author-level login
Network Indicators:
- Unusual outbound connections from web server to external IPs
- Command and control traffic patterns
SIEM Query:
source="wordpress.log" AND ("acf-views" OR "twig.php") AND (POST OR PUT) AND ("template" OR "eval" OR "system")🔗 References
- https://plugins.trac.wordpress.org/browser/acf-views/tags/3.7.19/src/Template_Engines/Twig.php#L106
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3364566%40acf-views&new=3364566%40acf-views&sfp_email=&sfph_mail=
- https://www.wordfence.com/threat-intel/vulnerabilities/id/52b04517-f0be-4bbf-818c-70a12d76bfec?source=cve
