Description
The Pie Forms for WP plugin for WordPress is vulnerable to Arbitrary File Upload in all versions up to, and including, 1.6 via the format_classic function. This is due to insufficient file type validation where the validate_classic method validates file extensions and sets error messages but does not prevent the file upload process from continuing. This makes it possible for unauthenticated attackers to upload files with dangerous extensions such as PHP, which makes remote code execution possible. In order to exploit this vulnerability, the attacker needs to guess the directory in which the file is placed (which is a somewhat predictable hash). In addition to that, the file name is generated using a secure hash method, limiting the exploitability of this vulnerability.
Published: 2025-11-18
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Patch Immediately
AI Analysis

Impact

The Pie Forms for WP plugin contains an insufficient file type validation flaw that allows an unauthenticated attacker to upload files with dangerous extensions such as PHP through the format_classic function. The validate_classic method only checks extensions and sets an error message but continues the upload process, enabling the attacker to place a malicious file on the server. If such a file is executed, the attacker can run arbitrary code on the hosting web server, effectively compromising the entire WordPress site.

Affected Systems

The vulnerability targets the Pie Forms — Drag & Drop Form Builder developed by genetechproducts for WordPress. Any WordPress site running the plugin in version 1.6 or earlier is susceptible, particularly the file upload field provided by the plugin. The attack requires no authentication, making all sites with the vulnerable plugin a potential target.

Risk and Exploitability

The CVSS score of 8.1 indicates high severity. The EPSS score is less than 1%, suggesting exploitation is currently unlikely, and the vulnerability is not listed in the CISA KEV catalog. Nevertheless, the attack vector is unauthenticated form submission, and the upload directory is a somewhat predictable hash while the file name is hashed, reducing but not eliminating the risk of remote code execution.

Generated by OpenCVE AI on April 22, 2026 at 00:32 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Pie Forms for WP plugin to a version newer than 1.6; if no update is available, uninstall the plugin entirely.
  • Disable the file upload functionality in Pie Forms for WP or restrict form access to authenticated users only, thereby eliminating the unauthenticated upload vector.
  • Configure the web server or application firewall to deny execution of files placed in the upload directory, or block PHP execution for uploaded files with risky extensions.

Generated by OpenCVE AI on April 22, 2026 at 00:32 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 19 Nov 2025 11:00:00 +0000

Type Values Removed Values Added
First Time appeared Genetechproducts
Genetechproducts pie Forms
Wordpress
Wordpress wordpress
Vendors & Products Genetechproducts
Genetechproducts pie Forms
Wordpress
Wordpress wordpress

Tue, 18 Nov 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 18 Nov 2025 08:45:00 +0000

Type Values Removed Values Added
Description The Pie Forms for WP plugin for WordPress is vulnerable to Arbitrary File Upload in all versions up to, and including, 1.6 via the format_classic function. This is due to insufficient file type validation where the validate_classic method validates file extensions and sets error messages but does not prevent the file upload process from continuing. This makes it possible for unauthenticated attackers to upload files with dangerous extensions such as PHP, which makes remote code execution possible. In order to exploit this vulnerability, the attacker needs to guess the directory in which the file is placed (which is a somewhat predictable hash). In addition to that, the file name is generated using a secure hash method, limiting the exploitability of this vulnerability.
Title Pie Forms for WP <= 1.6 - Unauthenticated Arbitrary File Upload
Weaknesses CWE-434
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Genetechproducts Pie Forms
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:50:26.537Z

Reserved: 2025-10-30T17:43:52.699Z

Link: CVE-2025-12528

cve-icon Vulnrichment

Updated: 2025-11-18T16:03:26.678Z

cve-icon NVD

Status : Deferred

Published: 2025-11-18T09:15:48.710

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-12528

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T00:45:04Z

Weaknesses