Description
The Zegen Core plugin for WordPress is vulnerable to Cross-Site Request Forgery to Arbitrary File Upload in versions up to, and including, 2.0.1. This is due to missing nonce validation and missing file type validation in the '/custom-font-code/custom-fonts-uploads.php' file. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Published: 2025-11-21
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

Zegen Core for WordPress is vulnerable to a cross‑site request forgery (CWE‑352) that allows an unauthenticated attacker to upload arbitrary files via the /custom-font-code/custom-fonts-uploads.php endpoint. The flaw stems from missing nonce validation and a lack of file‑type checks, so a malicious request can be dispatched to the server and any file placed on the webroot. If the attacker manages to get a site administrator to follow a crafted link, the uploaded file could be executed, enabling remote code execution on the host.

Affected Systems

The vulnerability affects the Zegen Core plugin from Zozothemes for WordPress versions up to and including 2.0.1. Any site running one of those versions is at risk.

Risk and Exploitability

The flaw has a CVSS score of 8.8, indicating high severity. The EPSS score is under 1% and the issue is not listed in the CISA KEV catalog, suggesting exploitation is not yet widespread. The attack vector is a web‑based CSRF: an attacker must induce an authenticated administrator to visit a crafted URL or submit a forged form to trigger a file upload. If successful, the attacker could upload a malicious payload that later executes with the privileges of the web server. Given the systemic nature of the impact, the risk remains significant despite the low exploitation probability.

Generated by OpenCVE AI on April 27, 2026 at 22:48 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Zegen Core to a version later than 2.0.1, which eliminates the missing nonce and file‑type validation checks.
  • If an upgrade is delayed, implement a server‑side restriction to deny execution of files in the custom‑fonts uploads directory by adding an .htaccess rule or equivalent configuration.
  • Verify the site for any unexpectedly uploaded files and remove them immediately, then force a regeneration of all admin session cookies to ensure any compromised credentials are invalidated.

Generated by OpenCVE AI on April 27, 2026 at 22:48 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 24 Nov 2025 09:15:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Zozothemes
Zozothemes zegen
Vendors & Products Wordpress
Wordpress wordpress
Zozothemes
Zozothemes zegen

Fri, 21 Nov 2025 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 21 Nov 2025 20:45:00 +0000

Type Values Removed Values Added
Description The Zegen Core plugin for WordPress is vulnerable to Cross-Site Request Forgery to Arbitrary File Upload in versions up to, and including, 2.0.1. This is due to missing nonce validation and missing file type validation in the '/custom-font-code/custom-fonts-uploads.php' file. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Title Zegen Core <= 2.0.1 - Cross-Site Request Forgery to Arbitrary File Upload
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Subscriptions

Wordpress Wordpress
Zozothemes Zegen
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:36:47.677Z

Reserved: 2025-09-26T18:46:02.469Z

Link: CVE-2025-11087

cve-icon Vulnrichment

Updated: 2025-11-21T20:56:32.314Z

cve-icon NVD

Status : Deferred

Published: 2025-11-21T21:15:50.577

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-11087

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-27T23:00:13Z

Weaknesses