CVE-2025-3491 is a critical vulnerability classified under CWE-94 (Improper Control of Generation of Code), specifically a PHP code injection flaw in the 'Add custom page template' WordPress plugin developed by kiranpatil353. The vulnerability arises from inadequate sanitization of the 'template_name' parameter within the 'acpt_validate_setting' function. This parameter is used in a context that allows an authenticated user with Administrator privileges to inject arbitrary PHP code, which the server subsequently executes. Since WordPress plugins run with the same permissions as the web server user, successful exploitation can lead to remote code execution (RCE), enabling attackers to take full control of the affected server. The vulnerability affects all versions up to and including 2.0.1 of the plugin. The CVSS v3.1 base score is 7.2, indicating a high severity with network attack vector, low attack complexity, high privileges required, no user interaction, and high impact on confidentiality, integrity, and availability. Although no public exploits have been reported yet, the vulnerability’s nature and ease of exploitation by an administrator-level user make it a significant threat. The plugin’s widespread use in WordPress environments increases the potential attack surface. The vulnerability was published on April 26, 2025, and has been enriched by CISA, highlighting its importance. No official patch links are currently available, emphasizing the need for immediate mitigation steps by administrators.

The primary impact of CVE-2025-3491 is remote code execution on affected WordPress servers, which can lead to complete compromise of the web server and potentially the underlying network. Attackers with administrator access can leverage this vulnerability to execute arbitrary PHP code, allowing them to install backdoors, steal sensitive data, modify website content, or pivot to other internal systems. This threatens the confidentiality, integrity, and availability of the affected systems. Organizations relying on the vulnerable plugin risk website defacement, data breaches, service disruptions, and reputational damage. Given WordPress’s extensive use worldwide, the vulnerability could be exploited in targeted attacks against high-value websites, including e-commerce, government, and enterprise portals. The requirement for administrator-level access limits exploitation to insiders or attackers who have already compromised credentials, but the ease of code injection once access is obtained makes this a critical escalation vector. The absence of known public exploits currently reduces immediate widespread exploitation but does not eliminate the risk of future attacks.

1. Immediate action should be to update the 'Add custom page template' plugin to a patched version once released by the vendor. Monitor official channels for patch announcements. 2. Until a patch is available, restrict administrator access strictly to trusted personnel and enforce strong authentication mechanisms, including multi-factor authentication (MFA), to reduce the risk of credential compromise. 3. Implement Web Application Firewalls (WAFs) with custom rules to detect and block suspicious payloads targeting the 'template_name' parameter. 4. Conduct regular code audits and vulnerability scans on WordPress plugins to identify similar injection flaws proactively. 5. Employ the principle of least privilege by limiting plugin usage and administrator rights only to necessary users. 6. Monitor server logs for unusual PHP execution patterns or unexpected changes in website files that may indicate exploitation attempts. 7. Consider isolating WordPress instances in containerized or sandboxed environments to limit the blast radius of potential compromises. 8. Backup website data and server configurations regularly to enable rapid recovery in case of successful exploitation.