CVE-2025-9515 Overview
The Multi Step Form plugin for WordPress contains an arbitrary file upload vulnerability in versions up to and including 1.7.25. The flaw exists in the plugin's import functionality, which fails to properly validate uploaded file types. Authenticated attackers with Administrator-level access or above can upload arbitrary files to the affected site's server. This can lead to remote code execution on the underlying WordPress host. The issue is tracked as [CWE-434: Unrestricted Upload of File with Dangerous Type].
Critical Impact
Authenticated administrators can upload arbitrary PHP files through the form import feature, enabling remote code execution and full compromise of the WordPress server.
Affected Products
- Multi Step Form plugin for WordPress, all versions through 1.7.25
- Mondula GmbH mondula-form-wizard distribution
- WordPress sites with the Multi Step Form plugin installed and activated
Discovery Timeline
- 2025-09-06 - CVE-2025-9515 published to NVD
- 2026-04-15 - Last updated in NVD database
Technical Details for CVE-2025-9515
Vulnerability Analysis
The vulnerability resides in the JSON import handler implemented in includes/admin/msf-admin.class.php. The plugin accepts uploaded files through the form import feature and only checks the reported MIME type returned by wp_check_filetype(). It does not verify the file extension or inspect the file contents for executable code. An authenticated administrator can submit a crafted upload that bypasses the weak MIME comparison and lands on disk. If the upload location is web-accessible, the attacker can request the file directly to trigger PHP execution. This produces full remote code execution under the WordPress process user.
Root Cause
The original import routine performed a single check against $file_type['type'] !== 'application/json' without validating the file extension or scanning content. Attackers controlling the request can manipulate MIME detection or supply polyglot files containing <?php tags. The patched code adds extension validation, PHP tag scanning, and structural JSON decoding before processing.
Attack Vector
Exploitation requires an authenticated session with Administrator privileges. The attacker navigates to the Multi Step Form import screen and submits a file containing PHP code with a JSON MIME header. Once written to disk, the file can be invoked through the web server to execute arbitrary commands. The high privilege requirement narrows the threat to scenarios involving credential theft, insider abuse, or compromise of a single admin account on multi-admin sites.
// Patched validation in includes/admin/msf-admin.class.php
// SECURITY FIX: Enhanced file validation while maintaining JSON upload functionality
$file_type = wp_check_filetype($uploaded['file'], array('json' => 'application/json'));
$file_extension = strtolower(pathinfo($uploaded['file'], PATHINFO_EXTENSION));
// Check both MIME type and file extension
if ($file_type['type'] !== 'application/json' || $file_extension !== 'json') {
$this->notice('error', __('Only JSON files are allowed for import.', 'multi-step-form'));
wp_delete_file($uploaded['file']); // Clean up uploaded file
return;
}
// SECURITY FIX: Content validation to detect PHP code
$content = file_get_contents($uploaded['file']);
if (strpos($content, '<?php') !== false || strpos($content, '<?=') !== false || strpos($content, '<? ') !== false) {
$this->notice('error', __('File contains PHP code and is not allowed for security reasons.', 'multi-step-form'));
wp_delete_file($uploaded['file']); // Clean up uploaded file
return;
}
// SECURITY FIX: Validate JSON structure
$json_data = json_decode($content, true);
Source: GitHub Commit 590f9ac
Detection Methods for CVE-2025-9515
Indicators of Compromise
- Unexpected .php, .phtml, or .phar files inside the WordPress wp-content/uploads/ directory tree, particularly in folders created by the Multi Step Form plugin
- Administrator account activity invoking the form import endpoint followed by direct web requests to newly created files
- Outbound network connections from the PHP-FPM or web server process to unfamiliar hosts shortly after a successful import
- WordPress audit log entries showing form import actions correlated with web shell access patterns
Detection Strategies
- Inspect web access logs for POST requests to the Multi Step Form admin import handler, followed by GET requests to files in the uploads directory
- Hash and compare files in the uploads directory against a baseline to identify newly introduced executable content
- Enable WordPress administrative event logging to capture file import actions tied to admin user IDs
- Scan stored uploads for the strings <?php, <?=, and <? to identify unauthorized PHP payloads
Monitoring Recommendations
- Alert on creation or modification of PHP files under wp-content/uploads/ since this directory should not contain executable code
- Monitor administrator logins from unusual geolocations or IP ranges, as exploitation requires admin credentials
- Track child process creation from the PHP interpreter that spawns shells, curl, or wget commands
- Forward WordPress and web server logs to a centralized analytics platform for correlation across hosts
How to Mitigate CVE-2025-9515
Immediate Actions Required
- Update the Multi Step Form plugin to version 1.7.26 or later on every WordPress installation
- Audit the wp-content/uploads/ directory for unauthorized PHP files and remove any found
- Review administrator account inventory and rotate credentials for any account that may have been compromised
- Enforce multi-factor authentication for all WordPress users with Administrator or Editor roles
Patch Information
Mondula GmbH released version 1.7.26 of the Multi Step Form plugin, which adds extension validation, PHP tag content scanning, and JSON structure verification in the import handler. The fix is documented in the GitHub Commit 590f9ac and the corresponding WordPress Plugin Changeset. Full details are available in the Wordfence Vulnerability Report.
Workarounds
- Deactivate the Multi Step Form plugin until the site can be updated to version 1.7.26 or later
- Configure the web server to deny execution of PHP files within wp-content/uploads/ using directory-level rules
- Restrict Administrator role assignments to the minimum number of trusted personnel
- Place the WordPress admin interface behind an IP allowlist or VPN to reduce exposure of the privileged import endpoint
# Apache .htaccess example: block PHP execution in uploads directory
# Place in wp-content/uploads/.htaccess
<FilesMatch "\.(php|phtml|phar|php[0-9])$">
Require all denied
</FilesMatch>
# Nginx equivalent: add to server block
# location ~* /wp-content/uploads/.*\.(php|phtml|phar|php[0-9])$ {
# deny all;
# return 403;
# }
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

