CVE Alert: CVE-2025-11889 - edgarrojas - AIO Forms – Craft Complex Forms Easily

CVE-2025-11889

HIGHNo exploitation known

The AIO Forms – Craft Complex Forms Easily plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the import functionality in all versions up to, and including, 1.3.15. This makes it possible for authenticated attackers, with Administrator-level access and above, to upload arbitrary files on the affected site’s server which may make remote code execution possible.

CVSS v3.1 (7.2)

Vendor

edgarrojas

Product

AIO Forms – Craft Complex Forms Easily

Versions

* lte 1.3.15

CWE

CWE-434, CWE-434 Unrestricted Upload of File with Dangerous Type

Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Published

2025-10-24T08:24:00.896Z

Updated

2025-10-24T08:24:00.896Z

References

https://www.wordfence.com/threat-intel/vulnerabilities/id/6dc69491-0f40-4bab-9215-b25f72110e26?source=cve

https://wordpress.org/plugins/all-in-one-forms/

AI Summary Analysis

Risk verdict

High risk of remote code execution if an authenticated admin uploads a malicious file via the vulnerable import function.

Why this matters

Exploitation requires admin-level access, but many WordPress sites face credential compromise or misuse of admin accounts. If the flaw is weaponised, an attacker could upload and execute arbitrary code, potentially taking full control of the web host, exfiltrating data, or defacing sites. The impact can cascade to other hosted services and data stores connected to the site.

Most likely attack path

An attacker with Administrator-level access uploads a crafted ZIP through the import feature, bypassing file-type checks. The missing validation makes it feasible to place executable payloads in a writable directory, enabling remote code execution. Once initial access is gained, the attacker could deploy a web shell or other payload to maintain persistence and explore lateral movement within the hosting environment.

Who is most exposed

Sites using the affected plugin on WordPress, especially those with exposed admin portals or weak admin credential hygiene, are most at risk. Environments where plugin directories or uploads are surfaced to the web increase the chance of successful payload execution.

Detection ideas

Unusual ZIP import activity from admin accounts outside normal maintenance windows
New or modified files in wp-content/uploads or plugin directories, especially executables or PHP files
Unusual web shell or PHP payload indicators in webroot or writable folders
Admin session anomalies: unusual login times or new admin users
Log spikes around plugin import endpoints or file-write operations

Mitigation and prioritisation

Apply the latest vendor patch (version after 1.3.15) immediately; verify patch in staging before production.
If patching isn’t possible, disable or restrict the zip import functionality to trusted admins only.
Enforce strict server-side file-type validation and prevent execution of uploaded files; limit writable directories and use non-executable storage for uploads.
Implement a robust access control plan for admins, including MFA and regular credential rotation; monitor admin activity and enable alerts for import-related events.
Plan a rapid rollback and incident response runbook in case exploitation is detected.

Support Our Work

A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.

If you like the site, please support us on Patreon or Buy Me A Coffee using the buttons below.

AI APIs OSINT driven New features

Buy Me A Coffee Patreon

Tags: aio-forms-craft-complex-forms-easily, CVE, cve-2025-11889, edgarrojas, OSINT, threatintel