The Advanced Views – Display Posts, Custom Fields, and More WordPress plugin by wplakeorg suffers from a Server-Side Template Injection vulnerability identified as CVE-2025-10380. This vulnerability is classified under CWE-1336, which involves improper neutralization of special elements used in a template engine. The issue stems from insufficient sanitization of user input and inadequate access control when processing custom Twig templates within the plugin's Model panel. Specifically, authenticated users with author-level privileges or higher can inject malicious Twig template code that the server executes, resulting in arbitrary PHP code execution. This allows attackers to run commands on the underlying server, potentially leading to full system compromise. The vulnerability affects all plugin versions up to 3.7.19. The CVSS v3.1 score is 8.8, indicating high severity, with an attack vector of network, low attack complexity, privileges required at the author level, no user interaction needed, and high impact on confidentiality, integrity, and availability. Although no public exploits or patches are currently available, the risk is significant due to the widespread use of WordPress and the plugin's functionality that enables custom content display via templates. The vulnerability's exploitation could allow attackers to bypass typical WordPress security boundaries and gain control over the hosting environment.

The impact of CVE-2025-10380 is severe for organizations using the affected WordPress plugin. Successful exploitation grants attackers the ability to execute arbitrary PHP code on the web server, which can lead to complete site takeover. This includes unauthorized access to sensitive data, defacement of websites, installation of backdoors or malware, and lateral movement within internal networks. Since the vulnerability requires only author-level access, attackers can leverage compromised or malicious author accounts to escalate privileges and execute code remotely. The lack of user interaction and low attack complexity further increase the risk. For organizations relying on WordPress for critical business functions, this vulnerability threatens confidentiality, integrity, and availability of web assets and backend systems. Additionally, compromised sites can be used to launch further attacks, distribute malware, or damage organizational reputation. The absence of patches at the time of disclosure means that affected entities must rely on interim mitigations, increasing exposure time.

To mitigate CVE-2025-10380, organizations should immediately restrict author-level and higher privileges to trusted users only, minimizing the risk of insider threats or account compromise. Disable or restrict access to the Model panel and any functionality that allows custom Twig template input until a vendor patch is released. Implement strict input validation and sanitization controls on any user-supplied data related to templates, if custom development is involved. Monitor server logs and WordPress activity logs for unusual template rendering or PHP execution patterns. Employ Web Application Firewalls (WAFs) with rules targeting SSTI patterns to block exploitation attempts. Regularly update WordPress core and plugins once the vendor releases a patch addressing this vulnerability. Consider isolating WordPress instances in segmented network zones to limit lateral movement in case of compromise. Conduct security awareness training for authors and editors about the risks of privilege misuse. Finally, maintain regular backups and test incident response plans to enable rapid recovery if exploitation occurs.