The vulnerability CVE-2025-11087 affects the Zegen Core plugin for WordPress, specifically versions up to and including 2.0.1. The root cause is the absence of nonce validation and insufficient file type validation in the '/custom-font-code/custom-fonts-uploads.php' file, which handles custom font uploads. Nonce validation is a security mechanism to prevent CSRF attacks by ensuring that requests originate from legitimate users. Without this, an attacker can craft a malicious web page that, when visited by an authenticated site administrator, triggers a forged request to upload arbitrary files to the server. Because file type validation is also missing, attackers can upload executable files or web shells, potentially leading to remote code execution (RCE). The vulnerability requires no prior authentication but does require the victim to interact with a malicious link or webpage, making social engineering a key exploitation vector. The CVSS 3.1 score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) indicates network attack vector, low attack complexity, no privileges required, user interaction needed, unchanged scope, and high impact on confidentiality, integrity, and availability. Although no public exploits are currently known, the vulnerability is critical due to the potential for full server compromise. The plugin is widely used in WordPress sites that utilize Zozothemes products, making it a significant threat to websites relying on this ecosystem.

For European organizations, this vulnerability poses a significant risk to the confidentiality, integrity, and availability of their web infrastructure. Successful exploitation can lead to unauthorized file uploads, enabling attackers to deploy web shells or malware, resulting in full remote code execution. This can compromise sensitive customer data, intellectual property, and internal systems connected to the web server. Organizations in sectors such as finance, healthcare, government, and e-commerce are particularly vulnerable due to the sensitive nature of their data and regulatory requirements like GDPR. Additionally, compromised websites can be used to launch further attacks, distribute malware, or conduct phishing campaigns targeting European users. The requirement for user interaction (an administrator clicking a malicious link) means that social engineering defenses and user awareness are critical. The absence of known exploits in the wild currently reduces immediate risk but does not eliminate the threat, especially as proof-of-concept exploits may emerge rapidly after disclosure.

Immediate mitigation steps include updating the Zegen Core plugin to a patched version once released by the vendor. Until a patch is available, organizations should implement strict administrative access controls, including limiting administrator privileges and enforcing multi-factor authentication to reduce the risk of compromised credentials. Web application firewalls (WAFs) should be configured to detect and block suspicious POST requests to the '/custom-font-code/custom-fonts-uploads.php' endpoint, particularly those lacking valid nonces or containing unexpected file types. Administrators should be trained to recognize phishing and social engineering attempts to prevent inadvertent clicks on malicious links. Regular security audits and file integrity monitoring can help detect unauthorized file uploads. Additionally, disabling or restricting plugin functionality related to file uploads temporarily can reduce exposure. Network segmentation and least privilege principles should be applied to limit the impact of potential server compromise. Finally, monitoring logs for unusual activity around the vulnerable endpoint is recommended to detect exploitation attempts early.