Arbitrary File Upload Vulnerability in Pie Forms for WP Plugin by WordPress
CVE-2025-12528

8.1HIGH

Key Information:

Vendor: WordPress
Status: Pie Forms — Drag & Drop Form Builder
Vendor: CVE Published:; 18 November 2025

What is CVE-2025-12528?

The Pie Forms for WP plugin for WordPress is susceptible to an Arbitrary File Upload vulnerability in all versions up to and including 1.6. This issue arises from inadequate validation of uploaded file types, particularly within the format_classic function. The validate_classic method does check file extensions and sets corresponding error messages, but it fails to halt the file upload process. Consequently, unauthenticated attackers can potentially upload files with dangerous extensions including PHP, which may facilitate remote code execution. Exploitation requires knowledge of the directory structure where the files are stored, which can be inferred due to predictable hash generation. Although the file name is secured through a hash method, this vulnerability still poses a significant security threat.

Affected Version(s)

Pie Forms — Drag & Drop Form Builder * <= 1.6

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/pie-forms-for-...

CVSS V3.1

Score:

8.1

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Nov 18, 2025
Vulnerability Reserved
Oct 30, 2025

Credit

Le Viet Anh

JSON