WordPress Plugin Vulnerabilities

Advanced Views < 3.7.20 - Author+ Remote Code Execution via SSTI

Description

The plugin is vulnerable to Server-Side Template Injection due to insufficient input sanitization and lack of access control when processing custom Twig templates in the Model panel. This makes it possible for authenticated attackers, with author-level access or higher, to execute arbitrary PHP code and commands on the server.

Affects Plugins

Plugin icon
acf-views
Fixed in 3.7.20

References

CVE
CVE-2025-10380
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/52b04517-f0be-4bbf-818c-70a12d76bfec

Classification

Type
RCE
OWASP top 10
A1: Injection
CWE
CWE-94
CVSS
8.8 (high)

Miscellaneous

Original Researcher
Aurélien BOURDOIS (Elymaro)
Verified
No
WPVDB ID
b0a84eef-84f1-48f9-9cb9-f14e3942b611

Timeline

Publicly Published
2025-09-22 (about 8 months ago)
Added
2025-09-22 (about 8 months ago)
Last Updated
2025-09-22 (about 8 months ago)

Other

Published
Title
Published
2026-04-20
Title
Slider, Gallery, and Carousel by MetaSlider < 3.107.0 - Editor+ Remote Code Execution
Published
2026-05-01
Title
Widget Options < 4.2.3 - Contributor+ Remote Code Execution via Display Logic
Published
2025-07-03
Title
Easy Stripe < 1.2 - Unauthenticated Arbitrary Function Call
Published
2026-04-22
Title
Blocksy Companion Pro < 2.1.38 - Authenticated (Contributor+) Remote Code Execution
Published
2026-05-25
Title
Broadcast Live Video – Live Streaming : WebRTC, HLS, RTSP, RTMP < 7.1.3 - Authenticated (Admin+) Remote Code Execution