CVE-2025-12528

High

Published: 18 November 2025

Published

18 November 2025

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0026 49.2th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Description

The Pie Forms for WP plugin for WordPress is vulnerable to Arbitrary File Upload in all versions up to, and including, 1.6 via the format_classic function. This is due to insufficient file type validation where the validate_classic method validates file…

extensions and sets error messages but does not prevent the file upload process from continuing. This makes it possible for unauthenticated attackers to upload files with dangerous extensions such as PHP, which makes remote code execution possible. In order to exploit this vulnerability, the attacker needs to guess the directory in which the file is placed (which is a somewhat predictable hash). In addition to that, the file name is generated using a secure hash method, limiting the exploitability of this vulnerability.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly mitigates CVE-2025-12528 by identifying, reporting, and correcting the insufficient file type validation flaw in the Pie Forms plugin.

SI-10 Information Input Validation good match

prevent

Enforces comprehensive validation of file uploads to prevent arbitrary uploads of dangerous extensions like PHP despite error messages.

SI-9 Information Input Restrictions good match

prevent

Restricts file inputs to safe types and sizes, blocking unauthenticated uploads of executable files to predictable hash directories.

Security SummaryAI

CVE-2025-12528 is an arbitrary file upload vulnerability in the Pie Forms for WP plugin for WordPress, affecting all versions up to and including 1.6. The flaw exists in the format_classic function due to insufficient file type validation in the validate_classic method, which checks file extensions and sets error messages but does not prevent the upload process from continuing. This CWE-434 issue was published on 2025-11-18 and carries a CVSS v3.1 base score of 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H).

Unauthenticated attackers can exploit the vulnerability to upload files with dangerous extensions such as PHP, enabling remote code execution. Successful exploitation requires guessing the upload directory, which uses a somewhat predictable hash, while the filename is generated using a secure hash method, thereby limiting overall exploitability.

Advisories, including the Wordfence threat intelligence report (https://www.wordfence.com/threat-intel/vulnerabilities/id/4941a0ce-67f1-430d-bbad-3c97a4ed449e?source=cve), provide further details. Code references point to vulnerable lines in fileupload.php at L18, L331, and L475 (https://plugins.trac.wordpress.org/browser/pie-forms-for-wp/tags/1.6/includes/fields/fileupload.php).

Details

CWE(s): CWE-434

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

Arbitrary file upload in public-facing WordPress plugin enables unauthenticated remote exploitation for RCE, directly mapping to Exploit Public-Facing Application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://plugins.trac.wordpress.org/browser/pie-forms-for-wp/tags/1.6/includes/fields/fileupload.php#L18
security@wordfence.com
https://plugins.trac.wordpress.org/browser/pie-forms-for-wp/tags/1.6/includes/fields/fileupload.php#L331
security@wordfence.com
https://plugins.trac.wordpress.org/browser/pie-forms-for-wp/tags/1.6/includes/fields/fileupload.php#L475
security@wordfence.com
https://www.wordfence.com/threat-intel/vulnerabilities/id/4941a0ce-67f1-430d-bbad-3c97a4ed449e?source=cve
security@wordfence.com