CVE-2025-3491 is a high-severity vulnerability affecting the WordPress plugin 'Add custom page template' developed by kiranpatil353, specifically all versions up to and including 2.0.1. The vulnerability arises from improper sanitization of the 'template_name' parameter within the 'acpt_validate_setting' function, leading to PHP code injection (CWE-94). This flaw allows an authenticated attacker with Administrator-level privileges or higher to inject and execute arbitrary PHP code on the server hosting the WordPress site. The vulnerability is remotely exploitable over the network (AV:N) with low attack complexity (AC:L), requiring high privileges (PR:H) but no user interaction (UI:N). The impact on confidentiality, integrity, and availability is high, as successful exploitation can lead to full system compromise, data theft, defacement, or denial of service. Although no public exploits have been observed in the wild yet, the presence of this vulnerability in a widely used CMS plugin poses a significant risk. The lack of available patches at the time of publication further increases exposure. The vulnerability is classified under CWE-94, indicating improper control over code generation, a critical security weakness in web applications that handle dynamic code execution. Given the nature of WordPress plugins, this vulnerability can be leveraged to pivot attacks within the hosting environment, potentially affecting other applications or data stored on the same server.

For European organizations, this vulnerability presents a substantial risk, especially for those relying on WordPress for their web presence, including e-commerce, government portals, and corporate websites. Exploitation could lead to unauthorized access to sensitive customer data, intellectual property theft, website defacement, or disruption of online services. Given the high privileges required, insider threats or compromised administrator accounts are the primary vectors, but phishing or credential theft could facilitate such access. The impact extends beyond individual sites, as compromised servers can be used as launchpads for further attacks, including lateral movement within corporate networks or distribution of malware. The reputational damage and regulatory consequences under GDPR for data breaches could be severe. Additionally, sectors with critical infrastructure or public-facing services are at heightened risk due to potential service outages or manipulation of information.

Organizations should immediately audit their WordPress installations to identify the presence of the 'Add custom page template' plugin and verify its version. Since no official patch is currently available, temporary mitigations include disabling or uninstalling the plugin until a secure update is released. Restricting administrator access through strict role management and enforcing multi-factor authentication (MFA) can reduce the risk of credential compromise. Implementing Web Application Firewalls (WAFs) with custom rules to detect and block suspicious payloads targeting the 'template_name' parameter can provide additional protection. Regular monitoring of server logs for unusual PHP execution or unexpected changes in template files is recommended. Organizations should also ensure that backups are current and tested to enable rapid recovery in case of compromise. Finally, maintaining an incident response plan that includes procedures for web server compromise will improve readiness.