無料スキャン
HIGHCVE-2025-2801CVSS 7.3

スマートビジネス向けのWordPressカスタムフォーム作成プラグイン (smart form plugin for smart businesses) <= 1.2.4 - 認証されていない任意のショートコード実行

プラットフォーム

wordpress

コンポーネント

abcsubmit

修正版

1.2.5

AI Confidence: highNVDEPSS 1.7%レビュー済み: 2026年5月
NVDで見る
保存
あなたの言語に翻訳中…

CVE-2025-2801 is a high-severity vulnerability affecting the Smart Forms plugin for WordPress, versions 1.0.0 through 1.2.4. This vulnerability allows unauthenticated attackers to execute arbitrary shortcodes, potentially leading to complete site takeover. The vulnerability stems from a lack of proper input validation when handling user-supplied data within the plugin's shortcode execution functionality. A patch is available to address this issue.

WordPress

このCVEがあなたのプロジェクトに影響するか確認

依存関係ファイルをアップロードすれば、このCVEや他のCVEがあなたに影響するか即座にわかります。

無料スキャン

影響と攻撃シナリオ翻訳中…

The impact of CVE-2025-2801 is significant. Successful exploitation allows an attacker to inject and execute arbitrary shortcodes on a WordPress site. This can lead to a wide range of malicious activities, including defacement of the website, injection of malicious scripts, redirection of users to phishing sites, and even complete compromise of the WordPress installation. The ability to execute arbitrary code without authentication means that any user, even without a WordPress account, can potentially exploit this vulnerability. The attacker could leverage this to install backdoors, steal sensitive data, or launch further attacks against other systems accessible from the compromised WordPress site.

悪用の状況翻訳中…

CVE-2025-2801 was publicly disclosed on April 26, 2025. No public proof-of-concept (PoC) code has been released at the time of this writing, but the vulnerability's nature makes it likely that a PoC will emerge. The vulnerability is not currently listed on the CISA KEV catalog. Given the ease of exploitation (unauthenticated access) and the potential impact, it is considered a medium-high probability exploit target.

リスク対象者翻訳中…

Websites using the Smart Forms plugin for WordPress, particularly those running versions 1.0.0 through 1.2.4, are at risk. Shared hosting environments are particularly vulnerable as they often have limited control over plugin updates and security configurations. Sites relying on the plugin for critical form processing or data collection are at higher risk.

検出手順翻訳中…

• wordpress / composer / npm:

grep -r 'do_shortcode' /var/www/html/wp-content/plugins/smart-forms/

• wordpress / composer / npm:

wp plugin list --status=inactive | grep 'smart-forms'

• wordpress / composer / npm:

wp plugin auto-update --all

• generic web: Check WordPress access logs for unusual shortcode patterns or requests originating from unexpected IP addresses.

攻撃タイムライン

  1. Disclosure

    disclosure

脅威インテリジェンス

エクスプロイト状況

概念実証不明
CISA KEVNO
インターネット露出

EPSS

1.68% (82% パーセンタイル)

CISA SSVC

悪用状況none
自動化可能yes
技術的影響partial

CVSS ベクトル

脅威インテリジェンス· CVSS 3.1CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L7.3HIGHAttack VectorNetwork攻撃者がターゲットに到達する方法Attack ComplexityLow悪用に必要な条件Privileges RequiredNone攻撃に必要な認証レベルUser InteractionNone被害者の操作が必要かどうかScopeUnchanged影響コンポーネント外への波及ConfidentialityLow機密データ漏洩のリスクIntegrityLow不正データ改ざんのリスクAvailabilityLowサービス障害のリスクnextguardhq.com · CVSS v3.1 基本スコア
これらのメトリクスの意味は?
Attack Vector
ネットワーク — インターネット経由でリモートから悪用可能。物理・ローカルアクセス不要。
Attack Complexity
低 — 特別な条件不要。安定して悪用可能。
Privileges Required
なし — 認証不要。資格情報なしで悪用可能。
User Interaction
なし — 自動かつ無音の攻撃。被害者は何もしない。
Scope
変化なし — 影響は脆弱なコンポーネントのみ。
Confidentiality
低 — 一部データへの部分的アクセス。
Integrity
低 — 限定的な範囲でデータ変更可能。
Availability
低 — 部分的または断続的なサービス拒否。

影響を受けるソフトウェア

コンポーネントabcsubmit
ベンダーdorinabc
影響範囲修正版
0 – 1.2.41.2.5

弱点分類 (CWE)

CWE-94

タイムライン

  1. 予約済み
  2. 公開日
  3. 更新日
  4. EPSS 更新日
未パッチ — 公開から393日経過

緩和策と回避策翻訳中…

The primary mitigation for CVE-2025-2801 is to immediately upgrade the Smart Forms plugin to a patched version. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider temporarily disabling the plugin. While a direct workaround isn't available, implementing strict input validation on all user-supplied data within the plugin’s shortcode handling logic could reduce the attack surface. Monitor WordPress access logs for suspicious shortcode usage patterns. After upgrading, verify the fix by attempting to execute a known malicious shortcode through the plugin’s form submission process; it should be rejected.

修正方法翻訳中…

Actualice el plugin 'Create custom forms for WordPress with a smart form plugin for smart businesses' a una versión corregida.  La vulnerabilidad se debe a la falta de validación de valores antes de ejecutar do_shortcode, lo que permite la ejecución de shortcodes arbitrarios. Consulte las fuentes de referencia para obtener más información sobre la corrección.

CVEセキュリティニュースレター

脆弱性分析と重要アラートをメールでお届けします。

よくある質問翻訳中…

What is CVE-2025-2801 — Arbitrary Shortcode Execution in Smart Forms Plugin?

CVE-2025-2801 is a high-severity vulnerability in the Smart Forms plugin for WordPress, allowing unauthenticated attackers to execute arbitrary shortcodes due to insufficient input validation.

Am I affected by CVE-2025-2801 in Smart Forms Plugin?

You are affected if your WordPress site uses the Smart Forms plugin and is running version 1.0.0 through 1.2.4. Upgrade immediately to mitigate the risk.

How do I fix CVE-2025-2801 in Smart Forms Plugin?

Upgrade the Smart Forms plugin to the latest available version. If upgrading is not possible, temporarily disable the plugin until a suitable workaround can be implemented.

Is CVE-2025-2801 being actively exploited?

While no active exploitation has been confirmed, the vulnerability's ease of exploitation suggests it is a likely target for attackers.

Where can I find the official Smart Forms advisory for CVE-2025-2801?

Refer to the plugin developer's website or WordPress.org plugin page for the latest advisory and update information.

あなたのプロジェクトは影響を受けていますか?

依存関係ファイルをアップロードすれば、このCVEや他のCVEがあなたに影響するか即座にわかります。

無料スキャンCVEを検索