{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-11087", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-09-26T18:46:02.469Z", "datePublished": "2025-11-21T20:29:04.613Z", "dateUpdated": "2026-04-08T16:36:47.677Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:36:47.677Z"}, "affected": [{"vendor": "zozothemes", "product": "Zegen Core", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "2.0.1", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Zegen Core plugin for WordPress is vulnerable to Cross-Site Request Forgery to Arbitrary File Upload in versions up to, and including, 2.0.1. This is due to missing nonce validation and missing file type validation in the '/custom-font-code/custom-fonts-uploads.php' file. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "title": "Zegen Core <= 2.0.1 - Cross-Site Request Forgery to Arbitrary File Upload", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/145deebd-1e15-4f8a-878c-9424c2cd9601?source=cve"}, {"url": "https://themeforest.net/item/zegen-church-wordpress-theme/25116823"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-352 Cross-Site Request Forgery (CSRF)", "cweId": "CWE-352", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH"}}], "credits": [{"lang": "en", "type": "finder", "value": "Istv\u00e1n M\u00e1rton"}], "timeline": [{"time": "2025-09-26T00:00:00.000Z", "lang": "en", "value": "Discovered"}, {"time": "2025-11-21T07:31:39.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-11-21T20:56:29.250688Z", "id": "CVE-2025-11087", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-21T20:56:34.752Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-11087", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-11-21T20:56:29.250688Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-21T20:56:32.314Z"}}], "cna": {"title": "Zegen Core <= 2.0.1 - Cross-Site Request Forgery to Arbitrary File Upload", "credits": [{"lang": "en", "type": "finder", "value": "Istv\u00e1n M\u00e1rton"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 8.8, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}}], "affected": [{"vendor": "zozothemes", "product": "Zegen Core", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "2.0.1"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-09-26T00:00:00.000Z", "value": "Discovered"}, {"lang": "en", "time": "2025-11-21T07:31:39.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/145deebd-1e15-4f8a-878c-9424c2cd9601?source=cve"}, {"url": "https://themeforest.net/item/zegen-church-wordpress-theme/25116823"}], "descriptions": [{"lang": "en", "value": "The Zegen Core plugin for WordPress is vulnerable to Cross-Site Request Forgery to Arbitrary File Upload in versions up to, and including, 2.0.1. This is due to missing nonce validation and missing file type validation in the '/custom-font-code/custom-fonts-uploads.php' file. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-352", "description": "CWE-352 Cross-Site Request Forgery (CSRF)"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:36:47.677Z"}}}, "cveMetadata": {"cveId": "CVE-2025-11087", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:36:47.677Z", "dateReserved": "2025-09-26T18:46:02.469Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-11-21T20:29:04.613Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Zegen Core plugin for WordPress is vulnerable to Cross-Site Request Forgery to Arbitrary File Upload in versions up to, and including, 2.0.1. This is due to missing nonce validation and missing file type validation in the '/custom-font-code/custom-fonts-uploads.php' file. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "id": "CVE-2025-11087", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-11-21T21:15:50.577", "references": [{"source": "security@wordfence.com", "url": "https://themeforest.net/item/zegen-church-wordpress-theme/25116823"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/145deebd-1e15-4f8a-878c-9424c2cd9601?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-27T22:48:37.705196+00:00", "value": {"mitigation_remediation": ["Upgrade Zegen Core to a version later than 2.0.1, which eliminates the missing nonce and file\u2011type validation checks.", "If an upgrade is delayed, implement a server\u2011side restriction to deny execution of files in the custom\u2011fonts uploads directory by adding an .htaccess rule or equivalent configuration.", "Verify the site for any unexpectedly uploaded files and remove them immediately, then force a regeneration of all admin session cookies to ensure any compromised credentials are invalidated."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the Zegen Core plugin from Zozothemes for WordPress versions up to and including 2.0.1. Any site running one of those versions is at risk.", "description_and_impact": "Zegen Core for WordPress is vulnerable to a cross\u2011site request forgery (CWE\u2011352) that allows an unauthenticated attacker to upload arbitrary files via the /custom-font-code/custom-fonts-uploads.php endpoint. The flaw stems from missing nonce validation and a lack of file\u2011type checks, so a malicious request can be dispatched to the server and any file placed on the webroot. If the attacker manages to get a site administrator to follow a crafted link, the uploaded file could be executed, enabling remote code execution on the host.", "risk_and_exploitability": "The flaw has a CVSS score of 8.8, indicating high severity. The EPSS score is under 1% and the issue is not listed in the CISA KEV catalog, suggesting exploitation is not yet widespread. The attack vector is a web\u2011based CSRF: an attacker must induce an authenticated administrator to visit a crafted URL or submit a forged form to trigger a file upload. If successful, the attacker could upload a malicious payload that later executes with the privileges of the web server. Given the systemic nature of the impact, the risk remains significant despite the low exploitation probability."}}}}, "created": "2025-11-24T09:08:02.173671+00:00", "updated": "2026-04-27T23:00:13.962805+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress", "zozothemes", "zozothemes$PRODUCT$zegen"]}