Description
The AIO Forms – Craft Complex Forms Easily plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the import functionality in all versions up to, and including, 1.3.18. This makes it possible for authenticated attackers, with Administrator-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
Published: 2025-10-24
Score: 7.2 High
EPSS: < 1% Very Low
KEV: No
Impact: Potential remote code execution via arbitrary file upload
Action: Immediate Patch
AI Analysis

Impact

The AIO Forms plugin for WordPress allows administrators to import form configurations through a zip upload. The plugin lacks file type validation during import, enabling authenticated users with Administrator permissions to upload files of any type. This flaw, classified as CWE-434 (Unrestricted Upload of File with Dangerous Type), can be leveraged to place malicious code on the web server, potentially leading to remote code execution.

Affected Systems

WordPress sites using the AIO Forms – Craft Complex Forms Easily plugin versions 1.3.18 and earlier are affected. Administrators or users with higher privileges on these sites can exploit the weakness.

Risk and Exploitability

The CVSS score of 7.2 indicates a high impact vulnerability. However, the EPSS score is below 1%, suggesting a low probability of immediate exploitation. The vulnerability is not listed in the CISA KEV catalog. Attackers would need administrator access and the ability to navigate to the import function to upload a crafted file; no external interface is required. Once uploaded, malicious files could be executed by accessing them through the web server, giving attackers code execution capabilities.

Generated by OpenCVE AI on April 22, 2026 at 16:46 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the AIO Forms plugin to any version newer than 1.3.18 so that the file type validation is restored.
  • If an upgrade cannot be applied immediately, disable the zip import feature for all but the most trusted administrators, or remove it entirely from the plugin configuration.
  • As a temporary safeguard, configure the web server or the plugin to store uploaded files outside the web‑accessible directory and enforce strict MIME type checks so that uploaded files cannot be executed.

Generated by OpenCVE AI on April 22, 2026 at 16:46 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 08 Apr 2026 17:45:00 +0000

Type Values Removed Values Added
Description The AIO Forms – Craft Complex Forms Easily plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the import functionality in all versions up to, and including, 1.3.15. This makes it possible for authenticated attackers, with Administrator-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. The AIO Forms – Craft Complex Forms Easily plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the import functionality in all versions up to, and including, 1.3.18. This makes it possible for authenticated attackers, with Administrator-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
Title AIO Forms <= 1.3.15 - Authenticated (Admin+) Arbitrary File Upload via Zip Import AIO Forms <= 1.3.18 - Authenticated (Admin+) Arbitrary File Upload via Zip Import
References

Mon, 27 Oct 2025 22:30:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Fri, 24 Oct 2025 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 24 Oct 2025 08:30:00 +0000

Type Values Removed Values Added
Description The AIO Forms – Craft Complex Forms Easily plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the import functionality in all versions up to, and including, 1.3.15. This makes it possible for authenticated attackers, with Administrator-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
Title AIO Forms <= 1.3.15 - Authenticated (Admin+) Arbitrary File Upload via Zip Import
Weaknesses CWE-434
References
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:59:31.699Z

Reserved: 2025-10-16T18:48:53.653Z

Link: CVE-2025-11889

cve-icon Vulnrichment

Updated: 2025-10-24T12:12:27.476Z

cve-icon NVD

Status : Deferred

Published: 2025-10-24T09:15:43.353

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-11889

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T17:00:12Z

Weaknesses