CVE-2025-2801

Vulnerability

Analysis

The CVE-2025-2801 vulnerability affects the AbcSubmit plugin for WordPress, a form builder plugin designed to create custom forms. In all versions up to and including 1.2.4, the plugin fails to properly validate a value before passing it to the do_shortcode WordPress function. This lack of validation allows an attacker to inject and execute arbitrary shortcodes [1].

Attack

Vector

The vulnerability is exploitable by unauthenticated attackers, meaning no login or special privileges are required. The issue stems from a user-controllable action that invokes do_shortcode without adequate sanitization or capability checks. An attacker can craft a malicious request containing a shortcode payload, which the plugin then executes on the server [1].

Impact

Successful exploitation enables an attacker to run any WordPress shortcode, including those from other plugins or the core system. Depending on the available shortcodes, this can lead to a wide range of impacts such as arbitrary file uploads, sensitive data disclosure, or privilege escalation. The plugin has been closed by the WordPress.org team due to this security issue [1].

Mitigation

As of April 24, 2025, the plugin has been removed from the WordPress plugin repository and is not available for download [1]. Users who have the plugin installed should immediately delete it and replace it with an alternative form builder. There is no patched version available; the affected versions remain vulnerable.