The vulnerability CVE-2025-11087 affects the Zegen Core plugin for WordPress, specifically versions up to and including 2.0.1. The root cause is the absence of nonce validation and file type validation in the '/custom-font-code/custom-fonts-uploads.php' endpoint. Nonce validation is a security mechanism in WordPress to prevent CSRF attacks by ensuring that requests originate from legitimate users. Without this, attackers can craft malicious requests that an authenticated administrator might unknowingly execute. The lack of file type validation allows attackers to upload arbitrary files, including potentially malicious scripts. By exploiting this CSRF vulnerability, an unauthenticated attacker can trick an administrator into clicking a specially crafted link or visiting a malicious page, causing the upload of arbitrary files to the server. This can lead to remote code execution (RCE), allowing attackers to execute arbitrary commands on the server, potentially leading to full site compromise. The vulnerability is remotely exploitable over the network without prior authentication but requires user interaction (clicking a link). The CVSS v3.1 score of 8.8 reflects high impact on confidentiality, integrity, and availability, with low attack complexity. No patches or official fixes have been released yet, and no known exploits are reported in the wild. The vulnerability is classified under CWE-352 (Cross-Site Request Forgery).

The impact of CVE-2025-11087 is significant for organizations using the Zegen Core WordPress plugin. Successful exploitation can lead to remote code execution, allowing attackers to execute arbitrary code on the web server. This can result in complete site compromise, data theft, defacement, installation of backdoors, or pivoting to internal networks. Confidentiality is at risk due to potential data exposure; integrity is compromised by unauthorized file uploads and code execution; availability may be affected if attackers disrupt services or deploy ransomware. Since WordPress powers a large portion of websites globally, any organization relying on this plugin for site functionality is at risk. The requirement for user interaction (administrator clicking a malicious link) slightly reduces the risk but does not eliminate it, especially in environments where administrators may be targeted via phishing or social engineering. The absence of patches increases the window of exposure. This vulnerability could be leveraged in targeted attacks against high-value websites, including e-commerce, government, and enterprise portals.

1. Immediately restrict access to the '/custom-font-code/custom-fonts-uploads.php' endpoint via web server configuration (e.g., IP whitelisting or authentication) to prevent unauthorized uploads. 2. Implement Web Application Firewall (WAF) rules to detect and block suspicious POST requests targeting the vulnerable endpoint, especially those lacking valid nonces or containing unexpected file types. 3. Educate site administrators about the risk of clicking untrusted links and implement strict email filtering to reduce phishing attempts. 4. Temporarily disable or remove the Zegen Core plugin until an official patch is released. 5. Monitor server logs for unusual file uploads or access patterns indicative of exploitation attempts. 6. Employ file integrity monitoring to detect unauthorized changes to web files. 7. Once available, promptly apply vendor patches or updates addressing nonce and file type validation. 8. Consider deploying Content Security Policy (CSP) headers to limit execution of unauthorized scripts. 9. Regularly back up website data and configurations to enable recovery in case of compromise.