Local File Inclusion Vulnerability in Happyforms Plugin for WordPress
CVE-2025-11977

6.6MEDIUM

What is CVE-2025-11977?

The Happyforms plugin for WordPress is susceptible to a Local File Inclusion vulnerability through the happyforms_get_form_partial() function in versions up to 1.26.12. This issue enables authenticated users with Administrator access to include and execute arbitrary PHP files on the server. By exploiting this vulnerability, attackers can bypass access controls, retrieve sensitive information, or run malicious PHP code if they manage to upload executable .php files.

Affected Version(s)

Happyforms – Form Builder for WordPress: Drag & Drop Contact Forms, Surveys, Payments & Multipurpose Forms 0 <= 1.26.12

References

CVSS V3.1

Score:
6.6
Severity:
MEDIUM
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
High
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Rahul Sreenivasan (Tr0j4n)
.