CVE Alert: CVE-2025-10380 – wplakeorg – Advanced Views – Display Posts, Custom Fields, and More
CVE-2025-10380
The Advanced Views – Display Posts, Custom Fields, and More plugin for WordPress is vulnerable to Server-Side Template Injection in all versions up to, and including, 3.7.19. This is due to insufficient input sanitization and lack of access control when processing custom Twig templates in the Model panel. This makes it possible for authenticated attackers, with author-level access or higher, to execute arbitrary PHP code and commands on the server.
AI Summary Analysis
Risk verdict
High risk of authenticated remote code execution via SSTI in the affected plugin; there is no explicit KEV/SSVC exploitation signal in the data.
Why this matters
Authenticated authors can run arbitrary PHP on the server, yielding full site compromise, data exposure and potential lattice moves to adjacent systems. The impact scales to site defacement, credential theft, and possible movement within the hosting environment.
Most likely attack path
An attacker with author-level credentials crafts a malicious Twig template or input in the plugin’s Model panel. Inadequate input sanitisation and insufficient access controls enable template processing to execute arbitrary code, bypassing UI prompts. With no user interaction required, an opportunistic attacker could establish web shell access and persist.
Who is most exposed
Self-hosted WordPress sites using this plugin, especially where author accounts exist and are not tightly guarded or monitored. Deployments across shared or multi-tenant hosting with multiple WP instances increase the attacker’s potential blast radius.
Detection ideas
- Unexpected PHP processes or web shells appearing in logs.
- Anomalous Twig template rendering events or code fragments in application logs.
- Unauthorised file writes or new PHP files under wp-content or plugin directories.
- Sudden spikes in server CPU/memory during template rendering.
- New admin/users or privilege changes without justification.
Mitigation and prioritisation
- Patch to the latest plugin version (or remove if patching is infeasible) and test in staging first.
- Enforce least privilege for author accounts; rotate credentials; revoke unused accounts.
- Enable web application firewall rules or SIEM detections targeting SSTI payloads and Twig-eval patterns; monitor for template-related errors.
- Change-management: back up sites, schedule patch windows with rollback plan.
- If KEV true or EPSS ≥ 0.5, treat as priority 1; otherwise treat as high-priority remediation.
A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.
If you like the site, please support us on “Patreon” or “Buy Me A Coffee” using the buttons below
To keep up to date follow us on the below channels.
