A critical unauthenticated arbitrary file upload vulnerability (CVE-2025-5678, CVSS 9.8) has been found in the FormCraft Pro WordPress plugin, installed on thousands of websites. The flaw allows attackers to upload malicious files (like web shells) and gain complete control over the affected website.
Business Impact
Website takeover can lead to defacement, hosting of malicious content, redirection of visitors to phishing sites, theft of customer data submitted through forms, and significant reputational damage. Compromised sites can also be used to launch attacks against visitors or other systems.
Why It Happened
The vulnerability likely stems from insufficient validation of file types or paths during the file upload process handled by the plugin, allowing attackers to bypass security checks and place executable code on the web server.
Recommended Executive Action
Direct web administrators to immediately update the FormCraft Pro plugin to the latest patched version or disable and remove it if an update is not possible. Implement a web application firewall (WAF) to help block malicious file uploads.
Hashtags: #WordPress #Plugin #Vulnerability #RCE #WebSecurity #CyberSecurity #PatchNow #CVE #InfoSec