CVE-2025-11087: Zegen Core WordPress Plugin CSRF Vulnerability

CVE-2025-11087 Overview

The Zegen Core plugin for WordPress contains a critical Cross-Site Request Forgery (CSRF) vulnerability combined with arbitrary file upload capability in versions up to and including 2.0.1. This vulnerability exists due to missing nonce validation and missing file type validation in the /custom-font-code/custom-fonts-uploads.php file. This security flaw enables unauthenticated attackers to upload arbitrary files to the affected site's server, potentially leading to remote code execution when a site administrator is tricked into clicking a malicious link.

Critical Impact

Unauthenticated attackers can achieve remote code execution by uploading malicious files through CSRF attack vectors targeting WordPress administrators.

Affected Products

• Zegen Core Plugin for WordPress versions up to and including 2.0.1
• WordPress sites using the Zegen Church WordPress Theme

Discovery Timeline

• 2025-11-21 - CVE-2025-11087 published to NVD
• 2026-04-15 - Last updated in NVD database

Technical Details for CVE-2025-11087

Vulnerability Analysis

This vulnerability represents a chained attack combining two distinct security weaknesses: Cross-Site Request Forgery (CWE-352) and unrestricted file upload. The vulnerable endpoint in /custom-font-code/custom-fonts-uploads.php fails to implement proper security controls on two fronts.

First, the absence of nonce validation means the application does not verify that file upload requests originate from legitimate administrator actions. WordPress nonces are cryptographic tokens designed to protect against CSRF attacks, and their omission allows attackers to craft malicious requests that execute under the context of an authenticated administrator.

Second, the missing file type validation allows any file format to be uploaded to the server. When combined with the CSRF weakness, an attacker can upload PHP web shells or other executable content. Once the malicious file is uploaded, the attacker can access it directly to execute arbitrary commands on the server.

Root Cause

The root cause of this vulnerability is the inadequate implementation of security controls within the custom font upload functionality. The custom-fonts-uploads.php file processes file upload requests without verifying the request origin through WordPress nonce tokens (wp_verify_nonce()) and without validating that uploaded files are limited to safe font file types (such as .ttf, .woff, .woff2, or .otf). This dual security control failure creates an exploitable path for attackers.

Attack Vector

The attack requires social engineering to succeed. An attacker must craft a malicious web page containing a hidden form that submits to the vulnerable WordPress endpoint. The form would contain a payload file (such as a PHP web shell) and necessary parameters to trigger the upload. When a logged-in WordPress administrator visits the malicious page, the browser automatically submits the form using the administrator's authenticated session cookies, bypassing authentication requirements. The server processes the upload without nonce verification and stores the malicious file without checking its type. The attacker can then directly access the uploaded file to achieve remote code execution.

The attack flow requires network access and user interaction, specifically requiring an administrator to click a malicious link while authenticated to their WordPress site.

Detection Methods for CVE-2025-11087

Indicators of Compromise

• Unexpected files in WordPress upload directories, particularly PHP files in custom font upload locations
• Web server access logs showing POST requests to /wp-content/plugins/zegen-core/custom-font-code/custom-fonts-uploads.php from external referrers
• Suspicious file modifications or new executable files in the WordPress installation
• Unusual outbound network connections from the web server indicating potential web shell activity

Detection Strategies

• Monitor file system changes in WordPress plugin directories for newly created PHP or other executable files
• Implement web application firewall (WAF) rules to detect CSRF patterns targeting the vulnerable endpoint
• Review web server access logs for requests to the custom-fonts-uploads.php endpoint with unusual referrer headers
• Deploy file integrity monitoring to alert on unexpected file additions in the Zegen Core plugin directory

Monitoring Recommendations

• Enable WordPress audit logging to track administrative actions and file upload events
• Configure SIEM alerts for POST requests to the vulnerable endpoint originating from external domains
• Implement real-time file system monitoring on WordPress installations to detect unauthorized file uploads
• Review server logs regularly for evidence of web shell deployment or post-exploitation activity

How to Mitigate CVE-2025-11087

Immediate Actions Required

• Update the Zegen Core plugin to a patched version if available
• If no patch is available, disable the Zegen Core plugin until a security update is released
• Audit the WordPress file system for any suspicious uploaded files, particularly in font upload directories
• Review web server logs for any evidence of exploitation attempts against the vulnerable endpoint

Patch Information

Site administrators should check the ThemeForest Product Page for updates to the Zegen Church WordPress Theme and its associated Zegen Core plugin. Additionally, the Wordfence Vulnerability Report provides detailed information about this vulnerability and remediation guidance.

Workarounds

• Disable the Zegen Core plugin if it is not essential for site functionality
• Implement server-level restrictions to block POST requests to the vulnerable custom-fonts-uploads.php endpoint
• Add custom nonce validation and file type checking to the vulnerable file if source code modification is feasible
• Deploy a web application firewall with rules to block CSRF attempts and restrict file upload types

If direct code modification is necessary as a temporary workaround, administrators should add proper WordPress nonce verification and implement an allowlist for file extensions (limiting uploads to font file types such as .ttf, .woff, .woff2, .eot, and .otf) in the custom-fonts-uploads.php file. This mitigation should only be applied by experienced developers and should be replaced by an official patch when available.