CVE-2025-11499

Nov. 4, 2025, 3:41 p.m.

9.8
Critical

Description

The Tablesome Table – Contact Form DB – WPForms, CF7, Gravity, Forminator, Fluent plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the set_featured_image_from_external_url() function in all versions up to, and including, 1.1.32. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible in configurations where unauthenticated users have been provided with a method for adding featured images, and the workflow trigger is created.

Product(s) Impacted

Product Versions
contact_form_db
  • <1.1.32

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-434
Unrestricted Upload of File with Dangerous Type
The product allows the attacker to upload or transfer files of dangerous types that can be automatically processed within the product's environment.

References

https://plugins.trac.wordpress.org/browser/tablesome/trunk/workflow-library/actions/wp-post-creation.php#L309
https://plugins.trac.wordpress.org/changeset/3386484/tablesome/trunk/workflow-library/actions/wp-post-creation.php
https://www.wordfence.com/threat-intel/vulnerabilities/id/2be770c7-7aa2-430b-981d-5d81fe068bef?source=cve

Tags

security@wordfence.com
CWE-434
2025-11-01
CVE-2025-11499

CVSS Score

9.8 / 10

CVSS Data - 3.1

  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Privileges Required: NONE
  • Scope: UNCHANGED
  • Confidentiality Impact: HIGH
  • Integrity Impact: HIGH
  • Availability Impact: HIGH

    • CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

    View Vector String

Timeline

Published: Nov. 1, 2025, 7:15 a.m.
Last Modified: Nov. 4, 2025, 3:41 p.m.

Status : Awaiting Analysis

CVE has been marked for Analysis. Normally once in this state the CVE will be analyzed by NVD staff within 24 hours.

More info

Source

security@wordfence.com

Relations

Here is the list of observables linked to the vulnerability CVE-2025-11499 using threat intelligence.

  • Webrat

Linked Attack Reports

Webrat, disguised as exploits, is spreading via GitHub repositories

A new malware campaign targeting security professionals and students has been uncovered. The threat actor behind Webrat is now disguising the backdoor as exploits and proof-of-concept code for high-profile vulnerabilities, distributing it through GitHub repositories. The malware, which previously s…
malware
backdoor
exploit
vulnerability
trojan
information-stealing
social-engineering
cybersecurity
github
webrat
CVE-2025-59230
CVE-2025-59295
CVE-2025-10294
2025-12-23
Published: December 23, 2025
Linked vulnerabilities : CVE-2025-59230 (CVSS 7.8), CVE-2025-59295 (CVSS 8.8), CVE-2025-10294 (CVSS 9.8), CVE-2025-11833 (CVSS 9.8), CVE-2025-11499 (CVSS 9.8), CVE-2025-12595 (CVSS 7.4), CVE-2025-12596 (CVSS 7.4), CVE-2025-55234, CVE-2025-54106, CVE-2025-54897
Downloadable IOCs: 5

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.