CVE-2025-11977
Received Received - Intake

Local File Inclusion in Happyforms WordPress Plugin

Vulnerability report for CVE-2025-11977, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-10

Last updated on: 2026-07-10

Assigner: Wordfence

Description

The Happyforms – Form Builder for WordPress: Drag & Drop Contact Forms, Surveys, Payments & Multipurpose Forms plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.26.12 via the happyforms_get_form_partial() function. This makes it possible for authenticated attackers, with Administrator-level access and above, to include and execute arbitrary .php files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where .php file types can be uploaded and included.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-10
Last Modified
2026-07-10
Generated
2026-07-10
AI Q&A
2026-07-10
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
happyforms happyforms to 1.26.12 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-98 The PHP application receives input from an upstream component, but it does not restrict or incorrectly restricts the input before its usage in "require," "include," or similar functions.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

The vulnerability exists in the Happyforms – Form Builder for WordPress plugin, specifically in all versions up to and including 1.26.12. It is a Local File Inclusion (LFI) vulnerability found in the happyforms_get_form_partial() function.

This vulnerability allows authenticated attackers with Administrator-level access or higher to include and execute arbitrary .php files on the server. By doing so, they can run any PHP code contained in those files.

Impact Analysis

This vulnerability can have serious impacts including bypassing access controls, obtaining sensitive data, and executing arbitrary code on the server.

  • Bypassing access controls
  • Obtaining sensitive data stored on the server
  • Executing arbitrary PHP code, which can lead to full compromise of the server
Detection Guidance

This vulnerability affects the Happyforms WordPress plugin versions up to and including 1.26.12 and requires authenticated attackers with Administrator-level access. Detection involves verifying the plugin version installed on your WordPress site.

Since the vulnerability is a Local File Inclusion via the happyforms_get_form_partial() function, detection on the network level is difficult without specific exploit signatures.

You can check the installed version of the Happyforms plugin by running the following WP-CLI command on your WordPress installation:

  • wp plugin list --status=active | grep happyforms

If the version is 1.26.12 or lower, your system is vulnerable.

Additionally, you can search your web server logs for suspicious requests targeting the happyforms_get_form_partial() function or unusual POST requests to the plugin's AJAX endpoints, which might indicate exploitation attempts.

Mitigation Strategies

To mitigate this vulnerability, immediately update the Happyforms plugin to a version later than 1.26.12 where the Local File Inclusion issue is fixed.

If an update is not immediately possible, restrict Administrator-level access to trusted users only, as exploitation requires authenticated Administrator privileges.

Additionally, review and harden file upload restrictions to prevent uploading of arbitrary .php files that could be included and executed.

Monitor your server logs for any suspicious activity related to the plugin and consider temporarily disabling the plugin if exploitation is suspected.

Compliance Impact

The vulnerability in the Happyforms plugin allows authenticated administrators to execute arbitrary PHP code on the server, which can lead to bypassing access controls and obtaining sensitive data.

Such unauthorized access and potential data exposure could negatively impact compliance with data protection regulations like GDPR and HIPAA, which require strict controls over sensitive data and secure handling to prevent unauthorized access.

If exploited, this vulnerability could result in breaches of confidentiality, integrity, and availability of sensitive information, thereby violating regulatory requirements.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-11977. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart