What is the severity of CVE-2025-2801?

CVE-2025-2801 is classified as a critical vulnerability due to its ability to allow arbitrary shortcode execution in affected versions.

Who is affected by CVE-2025-2801?

All users of the 'Create custom forms for WordPress with a smart form plugin for smart businesses' plugin versions up to and including 1.2.4 are affected by CVE-2025-2801.

What type of attack does CVE-2025-2801 enable?

CVE-2025-2801 enables attackers to execute arbitrary shortcodes on affected WordPress sites, potentially leading to unwanted actions or exposure of sensitive data.

Is there any workaround for CVE-2025-2801?

There are no known workarounds for CVE-2025-2801; the recommended action is to update to the latest version of the plugin.

Vulnerability/
CVE-2025-2801

high

7.3

CWE

26/4/2025

29/4/2025

CVE-2025-2801: Create custom forms for WordPress with a smart form plugin for smart businesses <= 1.2.4 - Unauthenticated Arbitrary Shortcode Execution

Q: How do I fix CVE-2025-2801?

To fix CVE-2025-2801, update the 'Create custom forms for WordPress with a smart form plugin for smart businesses' plugin to version 1.2.5 or later.

First published: Sat Apr 26 2025(Updated: )

The The Create custom forms for WordPress with a smart form plugin for smart businesses plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 1.2.4. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.

Credit: security@wordfence.com

Affected Software	Affected Version	How to fix
WordPress Smart Forms	<=1.2.4

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is the severity of CVE-2025-2801?
CVE-2025-2801 is classified as a critical vulnerability due to its ability to allow arbitrary shortcode execution in affected versions.
How do I fix CVE-2025-2801?
To fix CVE-2025-2801, update the 'Create custom forms for WordPress with a smart form plugin for smart businesses' plugin to version 1.2.5 or later.
Who is affected by CVE-2025-2801?
All users of the 'Create custom forms for WordPress with a smart form plugin for smart businesses' plugin versions up to and including 1.2.4 are affected by CVE-2025-2801.
What type of attack does CVE-2025-2801 enable?
CVE-2025-2801 enables attackers to execute arbitrary shortcodes on affected WordPress sites, potentially leading to unwanted actions or exposure of sensitive data.
Is there any workaround for CVE-2025-2801?
There are no known workarounds for CVE-2025-2801; the recommended action is to update to the latest version of the plugin.

collector/mitre-cve
source/MITRE
agent/weakness
agent/references
agent/title
agent/type
agent/first-publish-date
agent/description
agent/guess-ai
agent/software-canonical-lookup
agent/software-canonical-lookup-request
agent/softwarecombine
collector/nvd-api
source/NVD
agent/author
agent/source
agent/severity
agent/last-modified-date
agent/tags
agent/event
vendor/wordpress
canonical/wordpress smart forms

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co

By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.