CVE-2025-3491 – Add custom page template <= 2.0.1 - Authenticated (Administrator+) PHP Code Injection to Remote Code Execution

https://notcve.org/view.php?id=CVE-2025-3491

25 Apr 2025 — The Add custom page template plugin for WordPress is vulnerable to PHP Code Injection leading to Remote Code Execution in all versions up to, and including, 2.0.1 via the 'acpt_validate_setting' function. This is due to insufficient sanitization of the 'template_name' parameter. This makes it possible for authenticated attackers, with Administrator-level access and above, to execute code on the server. • https://plugins.svn.wordpress.org/add-custom-page-template/trunk/index.php • CWE-94: Improper Control of Generation of Code ('Code Injection') •