Arbitrary Shortcode Execution Vulnerability in Create Custom Forms Plugin for WordPress
CVE-2025-2801

7.3HIGH

Key Information:

Vendor

WordPress
Status
Create Custom Forms For WordPress With A Smart Form Plugin For Smart Businesses – Form Builder For WordPress
Vendor
CVE Published:
26 April 2025

What is CVE-2025-2801?

The Create Custom Forms plugin for WordPress is susceptible to arbitrary shortcode execution across all versions up to and including 1.2.4. This vulnerability arises from inadequate validation of user inputs prior to processing do_shortcode, permitting unauthenticated attackers to execute arbitrary shortcodes. Such exploits can lead to unauthorized actions or manipulation of site content, posing potential risks to website integrity and security.

Affected Version(s)

Create custom forms for WordPress with a smart form plugin for smart businesses – Form builder for WordPress * <= 1.2.4

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...
https://plugins.trac.wordpress.org/browser/abcsubmit/tags...
https://plugins.trac.wordpress.org/browser/abcsubmit/tags...

CVSS V3.1

Score:
7.3
Severity:
HIGH
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Avraham Shemesh
.
CVE-2025-2801 : Arbitrary Shortcode Execution Vulnerability in Create Custom Forms Plugin for WordPress