CVE-2025-12528
BaseFortify
Publication date: 2025-11-18
Last updated on: 2025-11-18
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wordpres | pie_forms | 1.6 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-434 | The product allows the upload or transfer of dangerous file types that are automatically processed within its environment. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability impact me? :
The vulnerability can lead to remote code execution on the affected WordPress site, allowing attackers to run malicious code, potentially compromising the server, stealing data, or taking control of the website.
Can you explain this vulnerability to me?
This vulnerability exists in the Pie Forms for WP plugin for WordPress (up to version 1.6) and allows unauthenticated attackers to upload arbitrary files due to insufficient file type validation. Although the plugin validates file extensions and sets error messages, it does not stop the upload process, enabling attackers to upload dangerous files like PHP scripts. Exploiting this requires guessing the somewhat predictable directory and the file name, which is generated using a secure hash method, limiting exploitability.