Local File Inclusion Vulnerability in Happyforms Plugin for WordPress
CVE-2025-11977
6.6MEDIUM
Key Information:
- Vendor
WordPress
- Vendor
- CVE Published:
- 10 July 2026
What is CVE-2025-11977?
The Happyforms plugin for WordPress is susceptible to a Local File Inclusion vulnerability through the happyforms_get_form_partial() function in versions up to 1.26.12. This issue enables authenticated users with Administrator access to include and execute arbitrary PHP files on the server. By exploiting this vulnerability, attackers can bypass access controls, retrieve sensitive information, or run malicious PHP code if they manage to upload executable .php files.
Affected Version(s)
Happyforms β Form Builder for WordPress: Drag & Drop Contact Forms, Surveys, Payments & Multipurpose Forms 0 <= 1.26.12