CVE-2025-3491

Add custom page template <= 2.0.1 - Authenticated (Administrator+) PHP Code Injection to Remote Code Execution

CVSS 7.2 HIGHEPSS 0.6%CWE-94

The Add custom page template plugin for WordPress is vulnerable to PHP Code Injection leading to Remote Code Execution in all versions up to, and including, 2.0.1 via the 'acpt_validate_setting' function. This is due to insufficient sanitization of the 'template_name' parameter. This makes it possible for authenticated attackers, with Administrator-level access and above, to execute code on the server.

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Produtos afetados

kiranpatil353 · Add custom page template

Quer saber se a sua infraestrutura está exposta a isto?

Falar com a TrueHacking →

Referências

https://plugins.svn.wordpress.org/add-custom-page-template/trunk/index.php https://www.wordfence.com/threat-intel/vulnerabilities/id/9c2d97c4-b166-4d1f-8042-d0362e650c62?source=cve