CVE-2025-11087
BaseFortify
Publication date: 2025-11-21
Last updated on: 2025-11-21
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wordpress | zegen_core | * |
| wordpress | wordpress | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-352 | The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability in the Zegen Core plugin for WordPress (up to version 2.0.1) is a Cross-Site Request Forgery (CSRF) that allows arbitrary file uploads. This happens because the plugin lacks nonce validation and file type validation in a specific PHP file, enabling unauthenticated attackers to upload files to the server by tricking a site administrator into performing an action like clicking a malicious link.
How can this vulnerability impact me? :
This vulnerability can allow attackers to upload arbitrary files to your server, potentially leading to remote code execution. This means attackers could execute malicious code on your website, compromising its security, integrity, and availability.