CVE-2025-3491: 
WordPress vulnerability analysis and mitigation

The Add custom page template plugin for WordPress contains a PHP Code Injection vulnerability (CVE-2025-3491) that affects all versions up to and including 2.0.1. The vulnerability exists in the 'acptvalidatesetting' function due to insufficient sanitization of the 'template_name' parameter. This security flaw was discovered and disclosed on April 26, 2025 (NVD, Wiz).

The vulnerability is classified as CWE-94 (Improper Control of Generation of Code) and has been assigned a CVSS 3.1 base score of 7.2 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H. The security flaw specifically resides in the 'acptvalidatesetting' function where insufficient sanitization of the 'template_name' parameter allows for code injection (NVD, Wiz).

If successfully exploited, this vulnerability allows authenticated attackers with administrative access to execute arbitrary code on the affected server, potentially leading to complete system compromise. The high CVSS score reflects the severe potential impact on confidentiality, integrity, and availability of the affected system (Wiz).

Users of the Add custom page template plugin should upgrade to a version newer than 2.0.1 once available. In the meantime, it is recommended to restrict administrator access to trusted users only (Wiz).