CVE-2025-12528 is a critical vulnerability in the Pie Forms — Drag & Drop Form Builder plugin for WordPress, affecting all versions up to 1.6. The root cause is insufficient validation of uploaded file types in the format_classic function. The validate_classic method checks file extensions and sets error messages for disallowed types but does not halt the upload process, allowing files with dangerous extensions like .php to be uploaded. This flaw enables unauthenticated attackers to upload arbitrary files, potentially leading to remote code execution (RCE) on the affected server. Exploitation requires the attacker to guess the directory where the file is stored, which is based on a somewhat predictable hash, and the file name, which is generated using a secure hash method, thus reducing but not negating the risk. The vulnerability is remotely exploitable without any authentication or user interaction, increasing its severity. The CVSS 3.1 score of 8.1 reflects high impact on confidentiality, integrity, and availability, with network attack vector and high attack complexity. Although no public exploits are reported yet, the nature of the vulnerability makes it a prime target for attackers aiming to compromise WordPress sites by uploading web shells or malicious scripts. The plugin is widely used in WordPress environments, which are prevalent across many sectors, including e-commerce, government, and SMEs. The lack of a patch at the time of disclosure necessitates immediate defensive measures to prevent exploitation.

For European organizations, this vulnerability poses a significant risk of unauthorized remote code execution, which can lead to full system compromise, data breaches, defacement, or use of the compromised server for further attacks such as phishing or malware distribution. Organizations relying on WordPress sites with the vulnerable Pie Forms plugin, especially those with public-facing forms, are at heightened risk. The impact is particularly severe for sectors handling sensitive personal data, financial information, or critical infrastructure services, as attackers could gain persistent access or disrupt services. The ability to upload arbitrary PHP files means attackers can execute commands, pivot within networks, and exfiltrate data. Given the widespread use of WordPress in Europe, including government portals, educational institutions, and commercial websites, the potential for large-scale exploitation exists. The requirement to guess hashed directories and filenames adds some complexity but does not eliminate the threat, especially for skilled attackers or automated tools. The absence of known exploits in the wild currently provides a window for mitigation, but the risk of imminent exploitation remains high.

1. Immediately audit all WordPress installations for the presence of the Pie Forms — Drag & Drop Form Builder plugin and identify versions up to 1.6. 2. Apply vendor patches as soon as they are released; if no patch is available, consider disabling or uninstalling the plugin temporarily. 3. Implement strict web application firewall (WAF) rules to block file uploads with dangerous extensions such as .php, .phtml, .php5, etc., especially on form upload endpoints. 4. Restrict file upload directories with proper permissions and disable execution of scripts in upload folders via web server configuration (e.g., using .htaccess or nginx directives). 5. Monitor web server logs and file system changes for suspicious upload activity or access to unusual hashed directories. 6. Employ intrusion detection/prevention systems (IDS/IPS) tuned to detect attempts to exploit arbitrary file upload vulnerabilities. 7. Educate site administrators on secure plugin management and the risks of outdated plugins. 8. Consider implementing additional validation layers on file uploads, such as MIME type verification and content inspection. 9. Regularly back up website data and configurations to enable rapid recovery in case of compromise. 10. Conduct penetration testing focused on file upload functionalities to identify residual risks.