CVE-2025-11889

HIGH
2025-10-24 [email protected]
7.2
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Analysis Generated
Apr 08, 2026 - 18:38 vuln.today
CVE Published
Oct 24, 2025 - 09:15 nvd
HIGH 7.2

Tags

WordPress File Upload RCE

Description

The AIO Forms - Craft Complex Forms Easily plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the import functionality in all versions up to, and including, 1.3.18. This makes it possible for authenticated attackers, with Administrator-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.

Analysis

Arbitrary file upload in AIO Forms (WordPress plugin) through version 1.3.18 enables authenticated administrators to upload malicious files and execute arbitrary code on the server. The vulnerability stems from insufficient file type validation in the plugin's import functionality (CWE-434). While requiring administrator-level access (CVSS PR:H), this represents a privilege escalation risk in compromised or multi-admin environments and could enable persistent backdoor installation. No public exploit identified at time of analysis, and exploitation requires high-privilege credentials, limiting immediate mass-exploitation risk.

Technical Context

The vulnerability exists in the AIO Forms plugin's import functionality, which fails to properly validate file types during upload operations. This is a classic instance of CWE-434 (Unrestricted Upload of File with Dangerous Type), where an application accepts user-supplied files without adequately verifying their content, extension, or MIME type. When an administrator imports form configurations or related data, the plugin does not restrict file types to safe formats (such as JSON or CSV), allowing arbitrary file uploads including PHP scripts. Once uploaded to a web-accessible directory on the WordPress installation, these files can be directly executed by the web server, granting the attacker command execution capabilities. The affected product is specifically 'All-in-One Forms' (WordPress plugin slug: all-in-one-forms), affecting all versions through 1.3.18. WordPress plugins typically run with the same privileges as the web server process, making arbitrary code execution particularly dangerous as it can lead to full site compromise, database access, and lateral movement to the underlying server.

Affected Products

The vulnerability affects the AIO Forms (All-in-One Forms - Craft Complex Forms Easily) plugin for WordPress, impacting all versions up to and including 1.3.18. This is a third-party WordPress plugin available through the official WordPress.org plugin repository at https://wordpress.org/plugins/all-in-one-forms/. Any WordPress installation running AIO Forms version 1.3.18 or earlier is vulnerable, provided an administrator account exists that could be compromised or misused. The plugin is designed for creating complex forms within WordPress sites, and the vulnerability specifically resides in its form import functionality. Organizations should audit their WordPress installations to identify instances of this plugin and verify installed versions against the vulnerable range.

Remediation

Update the AIO Forms plugin to version 1.3.19 or later, which addresses the file upload validation issue according to the changeset reference at https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3400661%40all-in-one-forms&new=3400661%40all-in-one-forms. WordPress administrators should navigate to the Plugins section of the WordPress dashboard and apply available updates immediately. As an additional security measure, review administrator account access and implement principle of least privilege by limiting the number of users with administrator-level permissions. Enable WordPress security logging to detect suspicious file upload activity and consider implementing web application firewall (WAF) rules to monitor and restrict file uploads to known-safe extensions. If immediate patching is not feasible, consider temporarily disabling the AIO Forms plugin until the update can be applied, though this will disrupt form functionality. Review the plugin's upload directories (typically within wp-content/uploads/) for any suspicious PHP files or unexpected scripts uploaded prior to patching. For comprehensive guidance, consult the Wordfence threat intelligence page at https://www.wordfence.com/threat-intel/vulnerabilities/id/6dc69491-0f40-4bab-9215-b25f72110e26.

Priority Score

36
Low Medium High Critical
KEV: 0
EPSS: +0.2
CVSS: +36
POC: 0

Share

CVE-2025-11889 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy