Skip to main content

WordPress CVE-2025-11889

HIGH
Unrestricted Upload of File with Dangerous Type (CWE-434)
2025-10-24 security@wordfence.com
7.2
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.2 HIGH
AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Analysis Generated
Apr 08, 2026 - 18:38 vuln.today
CVE Published
Oct 24, 2025 - 09:15 nvd
HIGH 7.2

DescriptionCVE.org

The AIO Forms - Craft Complex Forms Easily plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the import functionality in all versions up to, and including, 1.3.18. This makes it possible for authenticated attackers, with Administrator-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.

AnalysisAI

Arbitrary file upload in AIO Forms (WordPress plugin) through version 1.3.18 enables authenticated administrators to upload malicious files and execute arbitrary code on the server. The vulnerability stems from insufficient file type validation in the plugin's import functionality (CWE-434). While requiring administrator-level access (CVSS PR:H), this represents a privilege escalation risk in compromised or multi-admin environments and could enable persistent backdoor installation. No public exploit identified at time of analysis, and exploitation requires high-privilege credentials, limiting immediate mass-exploitation risk.

Technical ContextAI

The vulnerability exists in the AIO Forms plugin's import functionality, which fails to properly validate file types during upload operations. This is a classic instance of CWE-434 (Unrestricted Upload of File with Dangerous Type), where an application accepts user-supplied files without adequately verifying their content, extension, or MIME type. When an administrator imports form configurations or related data, the plugin does not restrict file types to safe formats (such as JSON or CSV), allowing arbitrary file uploads including PHP scripts. Once uploaded to a web-accessible directory on the WordPress installation, these files can be directly executed by the web server, granting the attacker command execution capabilities. The affected product is specifically 'All-in-One Forms' (WordPress plugin slug: all-in-one-forms), affecting all versions through 1.3.18. WordPress plugins typically run with the same privileges as the web server process, making arbitrary code execution particularly dangerous as it can lead to full site compromise, database access, and lateral movement to the underlying server.

Affected ProductsAI

The vulnerability affects the AIO Forms (All-in-One Forms - Craft Complex Forms Easily) plugin for WordPress, impacting all versions up to and including 1.3.18. This is a third-party WordPress plugin available through the official WordPress.org plugin repository at https://wordpress.org/plugins/all-in-one-forms/. Any WordPress installation running AIO Forms version 1.3.18 or earlier is vulnerable, provided an administrator account exists that could be compromised or misused. The plugin is designed for creating complex forms within WordPress sites, and the vulnerability specifically resides in its form import functionality. Organizations should audit their WordPress installations to identify instances of this plugin and verify installed versions against the vulnerable range.

RemediationAI

Update the AIO Forms plugin to version 1.3.19 or later, which addresses the file upload validation issue according to the changeset reference at https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3400661%40all-in-one-forms&new=3400661%40all-in-one-forms. WordPress administrators should navigate to the Plugins section of the WordPress dashboard and apply available updates immediately. As an additional security measure, review administrator account access and implement principle of least privilege by limiting the number of users with administrator-level permissions. Enable WordPress security logging to detect suspicious file upload activity and consider implementing web application firewall (WAF) rules to monitor and restrict file uploads to known-safe extensions. If immediate patching is not feasible, consider temporarily disabling the AIO Forms plugin until the update can be applied, though this will disrupt form functionality. Review the plugin's upload directories (typically within wp-content/uploads/) for any suspicious PHP files or unexpected scripts uploaded prior to patching. For comprehensive guidance, consult the Wordfence threat intelligence page at https://www.wordfence.com/threat-intel/vulnerabilities/id/6dc69491-0f40-4bab-9215-b25f72110e26.

CVE-2016-10045 CRITICAL POC
9.8 Dec 30

The isMail transport in PHPMailer before 5.2.20 might allow remote attackers to pass extra parameters to the mail comman

CVE-2023-6553 CRITICAL POC
9.8 Dec 15

The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1

CVE-2024-5084 CRITICAL POC
9.8 May 23

The Hash Form - Drag & Drop Form Builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing fil

CVE-2024-8353 CRITICAL POC
9.8 Sep 28

The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all

CVE-2020-36847 CRITICAL POC
9.8 Jul 12

The Simple File List plugin for WordPress through version 4.2.2 contains an unauthenticated remote code execution vulner

CVE-2025-11749 CRITICAL POC
9.8 Nov 05

The AI Engine WordPress plugin through version 3.1.3 exposes Bearer Token values through the /mcp/v1/ REST API endpoint

CVE-2016-1209 CRITICAL POC
9.8 May 14

The Ninja Forms plugin before 2.9.42.1 for WordPress allows remote attackers to conduct PHP object injection attacks via

CVE-2024-4443 CRITICAL POC
9.8 May 22

The Business Directory Plugin - Easy Listing Directories for WordPress plugin for WordPress is vulnerable to time-based

CVE-2024-1698 CRITICAL POC
9.8 Feb 27

SQL injection in the NotificationX WordPress plugin (versions up to and including 2.8.2) allows unauthenticated remote a

CVE-2023-6875 CRITICAL POC
9.8 Jan 11

The POST SMTP Mailer - Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress plugin for WordPress i

CVE-2024-1512 CRITICAL POC
9.8 Feb 17

The MasterStudy LMS WordPress Plugin - for Online Courses and Education plugin for WordPress is vulnerable to union base

CVE-2024-3495 CRITICAL POC
9.8 May 22

The Country State City Dropdown CF7 plugin for WordPress is vulnerable to SQL Injection via the ‘cnt’ and 'sid' paramete

Share

CVE-2025-11889 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy