Scan free
HIGHCVE-2025-11087CVSS 8.8

CVE-2025-11087: Arbitrary File Access in Zegen Core

Platform

wordpress

Component

zegen-core

Fixed in

2.0.2

AI Confidence: highNVDEPSS 0.1%Reviewed: May 2026
View on NVD
Save

CVE-2025-11087 is an Arbitrary File Access vulnerability affecting the Zegen Core WordPress plugin. This vulnerability allows unauthenticated attackers to upload arbitrary files to the server, potentially leading to remote code execution. The issue impacts versions 0.0.0 through 2.0.1 and has been resolved in version 2.0.2.

WordPress

Detect this CVE in your project

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan free

Impact and Attack Scenarios

The primary impact of CVE-2025-11087 is the ability for an attacker to upload arbitrary files to the WordPress server. This is achieved through a Cross-Site Request Forgery (CSRF) attack exploiting missing nonce validation and inadequate file type validation within the /custom-font-code/custom-fonts-uploads.php file. Successful exploitation could allow an attacker to upload malicious web shells, backdoors, or other executable code, granting them complete control over the affected WordPress site. The blast radius extends to the entire server if the uploaded code can be leveraged to compromise the underlying system. This vulnerability shares similarities with other file upload vulnerabilities where insufficient validation allows for the execution of attacker-controlled code.

Exploitation Context

CVE-2025-11087 was publicly disclosed on 2025-11-21. The vulnerability's severity is considered HIGH due to the potential for remote code execution. No public proof-of-concept (PoC) code has been publicly released as of the disclosure date, but the ease of exploitation via CSRF suggests a moderate probability of exploitation. It is not currently listed on the CISA KEV catalog.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown
CISA KEVNO
Internet ExposureHigh

EPSS

0.09% (25% percentile)

CISA SSVC

Exploitationnone
Automatableno
Technical Impacttotal

CVSS Vector

THREAT INTELLIGENCE· CVSS 3.1CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H8.8HIGHAttack VectorNetworkHow the attacker reaches the targetAttack ComplexityLowConditions required to exploitPrivileges RequiredNoneAuthentication level needed to attackUser InteractionRequiredWhether a victim must take actionScopeUnchangedImpact beyond the vulnerable componentConfidentialityHighRisk of sensitive data exposureIntegrityHighRisk of unauthorized data modificationAvailabilityHighRisk of service disruptionnextguardhq.com · CVSS v3.1 Base Score
What do these metrics mean?
Attack Vector
Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
Attack Complexity
Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
Privileges Required
None — unauthenticated. No login or credentials needed to exploit.
User Interaction
Required — victim must take an action: open a file, click a link, or visit a crafted page.
Scope
Unchanged — impact is limited to the vulnerable component itself.
Confidentiality
High — complete confidentiality loss. Attacker can read all data: credentials, keys, personal data.
Integrity
High — attacker can write, modify, or delete any data: databases, config files, or code.
Availability
High — complete crash or resource exhaustion. Full denial of service.

Affected Software

Componentzegen-core
Vendorwordfence
Affected rangeFixed in
0.0.0 – 2.0.12.0.2

Weakness Classification (CWE)

CWE-352

Timeline

  1. Reserved
  2. Published
  3. Modified
  4. EPSS updated

Mitigation and Workarounds

The primary mitigation for CVE-2025-11087 is to immediately upgrade the Zegen Core plugin to version 2.0.2 or later. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) rule to block requests to /custom-font-code/custom-fonts-uploads.php that lack proper authentication or contain suspicious file extensions. Additionally, review and restrict file upload permissions on the server to limit the potential damage from a successful exploit. Carefully examine WordPress user roles and permissions to minimize the impact of a compromised administrator account. After upgrading, verify the fix by attempting a file upload with a known malicious extension (e.g., .php) to ensure it is blocked.

How to fix

Update to version 2.0.2, or a newer patched version

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2025-11087 — Arbitrary File Access in Zegen Core?

CVE-2025-11087 is a HIGH severity vulnerability in the Zegen Core WordPress plugin allowing attackers to upload arbitrary files via CSRF, potentially leading to remote code execution.

Am I affected by CVE-2025-11087 in Zegen Core?

You are affected if you are using Zegen Core plugin versions 0.0.0 through 2.0.1. Upgrade to 2.0.2 or later to mitigate the risk.

How do I fix CVE-2025-11087 in Zegen Core?

Upgrade the Zegen Core plugin to version 2.0.2 or later. As a temporary workaround, implement a WAF rule to block suspicious requests to the vulnerable endpoint.

Is CVE-2025-11087 being actively exploited?

While no public exploits are currently known, the ease of exploitation via CSRF suggests a moderate probability of exploitation.

Where can I find the official Zegen Core advisory for CVE-2025-11087?

Refer to the official Zegen Core plugin documentation and WordPress security announcements for updates and advisories related to CVE-2025-11087.

Is your project affected?

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan freeSearch CVEs