CVE-2025-11087

High

Published: 21 November 2025

Published

21 November 2025

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS Score 0.0011 29.5th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-11087 is a high-severity CSRF (CWE-352) vulnerability in Themeforest (inferred from references). Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 29.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-23 (Session Authenticity) and SI-10 (Information Input Validation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Requires validation of information inputs such as CSRF nonces and file types, directly preventing forged requests and arbitrary file uploads exploited in this CVE.

SC-23 Session Authenticity good match

prevent

Provides mechanisms like challenge-response to protect session authenticity, mitigating CSRF attacks that trick administrators into uploading malicious files.

SI-2 Flaw Remediation good match

prevent

Mandates timely identification, reporting, and correction of flaws like the missing validations in this WordPress plugin CVE, preventing exploitation through patching.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1505.003 Web Shell Persistence

Adversaries may backdoor web servers with web shells to establish persistent access to systems.

attack.mitre.org →

Why these techniques?

CVE enables exploitation of public-facing WordPress plugin (T1190) via CSRF for arbitrary file upload, facilitating web shell deployment for RCE (T1100).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

The Zegen Core plugin for WordPress is vulnerable to Cross-Site Request Forgery to Arbitrary File Upload in versions up to, and including, 2.0.1. This is due to missing nonce validation and missing file type validation in the '/custom-font-code/custom-fonts-uploads.php' file. This…

makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Deeper analysisAI

CVE-2025-11087 is a Cross-Site Request Forgery (CSRF) vulnerability leading to arbitrary file upload in the Zegen Core plugin for WordPress, affecting versions up to and including 2.0.1. The issue stems from missing nonce validation and file type validation in the '/custom-font-code/custom-fonts-uploads.php' file. Published on 2025-11-21, it carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) and maps to CWE-352 (Cross-Site Request Forgery).

Unauthenticated attackers can exploit this vulnerability by crafting a forged request and tricking a site administrator into performing an action, such as clicking a malicious link. Successful exploitation allows the upload of arbitrary files to the affected site's server, which may enable remote code execution.

Mitigation details are available in advisories such as the Wordfence threat intelligence report at https://www.wordfence.com/threat-intel/vulnerabilities/id/145deebd-1e15-4f8a-878c-9424c2cd9601?source=cve, with the plugin distributed via its ThemeForest page at https://themeforest.net/item/zegen-church-wordpress-theme/25116823.