Urgent Security Alert: Zegen Core Plugin Vulnerable to Arbitrary File Upload (CVE-2025-11087)

Overview

A critical security vulnerability, identified as CVE-2025-11087, has been discovered in the Zegen Core plugin for WordPress. This vulnerability allows unauthenticated attackers to upload arbitrary files to the affected WordPress server. The risk stems from a Cross-Site Request Forgery (CSRF) vulnerability in the plugin’s file upload functionality. This could potentially lead to remote code execution if an attacker successfully exploits the vulnerability.

This vulnerability affects versions up to and including 2.0.1 of the Zegen Core plugin.

Technical Details

The Zegen Core plugin fails to implement proper nonce validation and file type validation in the /custom-font-code/custom-fonts-uploads.php file. This means that an attacker can craft a malicious request, trick a site administrator into executing it (e.g., by clicking a link), and upload arbitrary files to the server. Without file type validation, an attacker could upload PHP scripts or other executable files, potentially compromising the entire WordPress installation.

The lack of nonce validation allows the attacker to bypass security checks designed to prevent CSRF attacks. Non-validates are unique, unpredictable tokens that prove the user intentionally performed the action, preventing malicious cross-site scripting.

CVSS Analysis

The vulnerability has been assigned a CVSS score of 8.8, indicating a HIGH severity. This score reflects the potential for significant impact and ease of exploitation. Key factors contributing to the high score include:

• Attack Vector (AV): Network (N)
• Attack Complexity (AC): Low (L)
• Privileges Required (PR): None (N)
• User Interaction (UI): Required (R)
• Scope (S): Changed (C)
• Confidentiality Impact (CI): High (H)
• Integrity Impact (II): High (H)
• Availability Impact (AI): High (H)

The “User Interaction Required” means the attacker needs to trick someone (e.g., an administrator) into clicking a link. However, given the potential impact if successful, the overall severity remains high.

Possible Impact

Successful exploitation of this vulnerability could have severe consequences, including:

• Remote Code Execution (RCE): Attackers could execute arbitrary code on the server, potentially taking complete control of the website.
• Website Defacement: Attackers could modify the website’s content, damaging its reputation.
• Data Theft: Attackers could steal sensitive data, such as user credentials or customer information.
• Malware Distribution: Attackers could use the compromised website to distribute malware to visitors.

Mitigation or Patch Steps

The most effective way to mitigate this vulnerability is to:

1. Update the Zegen Core plugin: Check for updates to the Zegen Core plugin within your WordPress dashboard and update to the latest version as soon as a patched version is available. The update *must* include proper nonce validation and file type validation.
2. If an update is not available: As an immediate workaround, if updating is not possible, consider temporarily disabling the Zegen Core plugin until a patch is released. You might also be able to apply a web application firewall (WAF) rule to block suspicious requests to the /custom-font-code/custom-fonts-uploads.php endpoint. However, this is not a substitute for a proper patch.
3. Monitor your website: Keep a close eye on your website’s logs for any suspicious activity, such as unexpected file uploads or attempts to access the /custom-font-code/custom-fonts-uploads.php file.
4. Educate users: Train website administrators to be cautious of suspicious links and avoid clicking on them.