Plataforma
wordpress
Componente
abcsubmit
Corrigido em
1.2.5
CVE-2025-2801 is a high-severity vulnerability affecting the Smart Forms plugin for WordPress, versions 1.0.0 through 1.2.4. This vulnerability allows unauthenticated attackers to execute arbitrary shortcodes, potentially leading to complete site takeover. The vulnerability stems from a lack of proper input validation when handling user-supplied data within the plugin's shortcode execution functionality. A patch is available to address this issue.
The impact of CVE-2025-2801 is significant. Successful exploitation allows an attacker to inject and execute arbitrary shortcodes on a WordPress site. This can lead to a wide range of malicious activities, including defacement of the website, injection of malicious scripts, redirection of users to phishing sites, and even complete compromise of the WordPress installation. The ability to execute arbitrary code without authentication means that any user, even without a WordPress account, can potentially exploit this vulnerability. The attacker could leverage this to install backdoors, steal sensitive data, or launch further attacks against other systems accessible from the compromised WordPress site.
CVE-2025-2801 was publicly disclosed on April 26, 2025. No public proof-of-concept (PoC) code has been released at the time of this writing, but the vulnerability's nature makes it likely that a PoC will emerge. The vulnerability is not currently listed on the CISA KEV catalog. Given the ease of exploitation (unauthenticated access) and the potential impact, it is considered a medium-high probability exploit target.
Websites using the Smart Forms plugin for WordPress, particularly those running versions 1.0.0 through 1.2.4, are at risk. Shared hosting environments are particularly vulnerable as they often have limited control over plugin updates and security configurations. Sites relying on the plugin for critical form processing or data collection are at higher risk.
• wordpress / composer / npm:
grep -r 'do_shortcode' /var/www/html/wp-content/plugins/smart-forms/• wordpress / composer / npm:
wp plugin list --status=inactive | grep 'smart-forms'• wordpress / composer / npm:
wp plugin auto-update --all• generic web: Check WordPress access logs for unusual shortcode patterns or requests originating from unexpected IP addresses.
disclosure
Status do Exploit
EPSS
1.68% (percentil 82%)
CISA SSVC
Vetor CVSS
The primary mitigation for CVE-2025-2801 is to immediately upgrade the Smart Forms plugin to a patched version. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider temporarily disabling the plugin. While a direct workaround isn't available, implementing strict input validation on all user-supplied data within the plugin’s shortcode handling logic could reduce the attack surface. Monitor WordPress access logs for suspicious shortcode usage patterns. After upgrading, verify the fix by attempting to execute a known malicious shortcode through the plugin’s form submission process; it should be rejected.
Actualice el plugin 'Create custom forms for WordPress with a smart form plugin for smart businesses' a una versión corregida. La vulnerabilidad se debe a la falta de validación de valores antes de ejecutar do_shortcode, lo que permite la ejecución de shortcodes arbitrarios. Consulte las fuentes de referencia para obtener más información sobre la corrección.
Análise de vulnerabilidades e alertas críticos diretamente no seu e-mail.
CVE-2025-2801 is a high-severity vulnerability in the Smart Forms plugin for WordPress, allowing unauthenticated attackers to execute arbitrary shortcodes due to insufficient input validation.
You are affected if your WordPress site uses the Smart Forms plugin and is running version 1.0.0 through 1.2.4. Upgrade immediately to mitigate the risk.
Upgrade the Smart Forms plugin to the latest available version. If upgrading is not possible, temporarily disable the plugin until a suitable workaround can be implemented.
While no active exploitation has been confirmed, the vulnerability's ease of exploitation suggests it is a likely target for attackers.
Refer to the plugin developer's website or WordPress.org plugin page for the latest advisory and update information.
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.