Description
Unrestricted Upload of File with Dangerous Type vulnerability in Made I.T. Forms forms-by-made-it allows Upload a Web Shell to a Web Server.This issue affects Forms: from n/a through <= 2.9.0.
Published: 2025-08-14
Score: 9.9 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

WordPress plugin 'Forms' by Made I.T. contains an unrestricted file upload flaw, identified as CWE-434, that permits an attacker to upload any file type, including executable web shells. By successfully uploading such a file to the server, an adversary can execute arbitrary code on the web server with the permissions of the web application, compromising confidentiality, integrity, and availability of the host and any data processed by the site.

Affected Systems

All released versions of the WordPress Forms plugin by Made I.T. up to and including 2.9.0 are affected. Any website that has this plugin active and the upload interface accessible is vulnerable. Versions newer than 2.9.0 are presumed patched, though a specific fix version is not listed in the data.

Risk and Exploitability

The CVSS score of 9.9 classifies the issue as critical. The EPSS score of less than 1% suggests a low probability of current exploitation, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is remote, via the Forms plugin’s upload endpoint; it is inferred that the upload page is reachable by users without privileged access, though the exact authentication requirements are unspecified. If an attacker can reach this endpoint, they can upload a malicious file and gain full code‑execution privileges on the web server.

Generated by OpenCVE AI on May 1, 2026 at 06:41 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the WordPress Forms plugin to the latest version released by Made I.T. that resolves the arbitrary file upload flaw.
  • If an upgrade cannot be performed immediately, disable the Forms plugin’s upload functionality or remove the plugin entirely from the site.
  • Implement server‑side validation to restrict accepted upload types to safe file extensions (e.g., .jpg, .png, .gif) and reject or quarantine any executable or script files.

Generated by OpenCVE AI on May 1, 2026 at 06:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-24728 Unrestricted Upload of File with Dangerous Type vulnerability in Made I.T. Forms allows Upload a Web Shell to a Web Server. This issue affects Forms: from n/a through 2.9.0.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Unrestricted Upload of File with Dangerous Type vulnerability in Made I.T. Forms allows Upload a Web Shell to a Web Server. This issue affects Forms: from n/a through 2.9.0. Unrestricted Upload of File with Dangerous Type vulnerability in Made I.T. Forms forms-by-made-it allows Upload a Web Shell to a Web Server.This issue affects Forms: from n/a through <= 2.9.0.
References
Metrics cvssV3_1

{'score': 9.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H'}

Sat, 16 Aug 2025 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Madeit
Madeit forms
Wordpress
Wordpress wordpress
Vendors & Products Madeit
Madeit forms
Wordpress
Wordpress wordpress

Thu, 14 Aug 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 14 Aug 2025 10:45:00 +0000

Type Values Removed Values Added
Description Unrestricted Upload of File with Dangerous Type vulnerability in Made I.T. Forms allows Upload a Web Shell to a Web Server. This issue affects Forms: from n/a through 2.9.0.
Title WordPress Forms <= 2.9.0 - Arbitrary File Upload Vulnerability
Weaknesses CWE-434
References
Metrics cvssV3_1

{'score': 9.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H'}

Subscriptions

Madeit Forms
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:34.345Z

Reserved: 2025-01-23T14:53:25.027Z

Link: CVE-2025-24775

cve-icon Vulnrichment

Updated: 2025-08-14T13:27:14.428Z

cve-icon NVD

Status : Deferred

Published: 2025-08-14T11:15:30.617

Modified: 2026-04-23T15:25:29.240

Link: CVE-2025-24775

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T06:45:11Z

Weaknesses