Description
The Tablesome Table – Contact Form DB – WPForms, CF7, Gravity, Forminator, Fluent plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the set_featured_image_from_external_url() function in all versions up to, and including, 1.1.32. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible in configurations where unauthenticated users have been provided with a method for adding featured images, and the workflow trigger is created.
Published: 2025-11-01
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Patch Now
AI Analysis

Impact

The Tablesome Table – Contact Form DB plugin for WordPress is vulnerable to arbitrary file uploads because it lacks file type validation in the set_featured_image_from_external_url() function. This flaw allows unauthenticated users to upload any file to the website’s server, potentially creating a path to remote code execution in environments where unauthenticated users can add featured images through the plugin’s workflow trigger. The weakness is categorized as CWE‑434, reflecting improper file type validation.

Affected Systems

WordPress sites using the Tablesome Table – Contact Form DB plugin, including support for WPForms, Contact Form 7, Gravity Forms, Forminator, and Fluent forms, are affected. All releases up to and including version 1.1.32 of the plugin are vulnerable; newer releases are not listed as impacted.

Risk and Exploitability

The vulnerability carries a CVSS score of 9.8, indicating critical severity, while the EPSS score is below 1%, suggesting only a low but non‑zero exploitation probability at present. It is not flagged in the CISA KEV catalog. Attackers can exploit the flaw without authentication via a web front‑end endpoint that accepts external image URLs. If the site’s configuration permits unauthenticated users to submit featured image URLs and a workflow trigger is present, the uploaded file could be executed, leading to full remote code execution on the server.

Generated by OpenCVE AI on April 22, 2026 at 21:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Tablesome Table – Contact Form DB plugin to a version newer than 1.1.32 that includes the file type validation fix.
  • If a patch is not yet available, restrict the set_featured_image_from_external_url endpoint so that only authenticated users can invoke it, thereby blocking unauthenticated uploads.
  • Reconfigure the web server so that any files uploaded via this plugin cannot be executed—move the upload directory outside the web root or set the directory’s permissions to non‑executable and disable script execution in that directory.

Generated by OpenCVE AI on April 22, 2026 at 21:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 03 Nov 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 03 Nov 2025 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Essekia
Essekia tablesome Table
Wordpress
Wordpress wordpress
Vendors & Products Essekia
Essekia tablesome Table
Wordpress
Wordpress wordpress

Sat, 01 Nov 2025 07:00:00 +0000

Type Values Removed Values Added
Description The Tablesome Table – Contact Form DB – WPForms, CF7, Gravity, Forminator, Fluent plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the set_featured_image_from_external_url() function in all versions up to, and including, 1.1.32. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible in configurations where unauthenticated users have been provided with a method for adding featured images, and the workflow trigger is created.
Title Tablesome Table – Contact Form DB – WPForms, CF7, Gravity, Forminator, Fluent <= 1.1.32 - Unauthenticated Arbitrary File Upload
Weaknesses CWE-434
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Essekia Tablesome Table
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:43:46.110Z

Reserved: 2025-10-08T14:03:51.516Z

Link: CVE-2025-11499

cve-icon Vulnrichment

Updated: 2025-11-03T13:24:10.193Z

cve-icon NVD

Status : Deferred

Published: 2025-11-01T07:15:34.940

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-11499

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T22:00:18Z

Weaknesses