Introduction
Attackers with author-level access can execute arbitrary PHP code on WordPress sites using Advanced Views plugin versions up to and including 3.7.19. This risk is not theoretical: it enables full compromise of affected sites through a Server-Side Template Injection (SSTI) flaw in a widely used plugin for dynamic content display and custom fields.
About the Involved Software: Advanced Views is a WordPress plugin developed by WPLake, designed to display posts and custom fields from sources like ACF, MetaBox, Pods, and WooCommerce. It is popular among developers for its flexibility and integration with modern templating engines like Twig. The plugin is used by a significant number of WordPress sites, especially those requiring advanced content presentation.
Technical Information
CVE-2025-10380 is a Server-Side Template Injection vulnerability in the Advanced Views plugin for WordPress, affecting all versions up to and including 3.7.19. The vulnerability is due to insufficient input sanitization and lack of access control when processing custom Twig templates in the Model panel. Authenticated users with author-level privileges or higher can inject malicious Twig template code, which is then executed on the server.
The vulnerable code resides in the plugin's src/Template_Engines/Twig.php file, specifically at or around line 106 in version 3.7.19 (reference). The flaw allows attackers to execute arbitrary PHP code and system commands via crafted Twig templates. The root cause is improper neutralization of special elements used in the template engine, classified as CWE-1336.
No public proof of concept or exploit code has been provided in the referenced sources. The vulnerability requires authentication but does not require administrative privileges, making it accessible to a broader set of users in typical WordPress deployments.
Affected Systems and Versions
- Product: Advanced Views – Display Posts, Custom Fields, and More (WordPress plugin)
- Affected versions: All versions up to and including 3.7.19
- Vulnerable configuration: Any WordPress site with the plugin installed and author-level (or higher) authenticated users who can create or edit custom Twig templates in the Model panel
Vendor Security History
Advanced Views is developed by WPLake. The plugin is widely adopted for advanced content display in WordPress. Previous vulnerabilities in Advanced Views have not been widely reported, but the plugin's integration with powerful template engines like Twig increases its attack surface. WPLake generally maintains good documentation and update cadence, but this SSTI issue highlights the risks of processing user-supplied template code.