Skip to main content
CVE Vulnerability Database

CVE-2025-9515: Multi Step Form WordPress RCE Vulnerability

CVE-2025-9515 is a remote code execution flaw in the Multi Step Form WordPress plugin that allows authenticated administrators to upload malicious files. This article covers the technical details, affected versions, and mitigation.

Published:

CVE-2025-9515 Overview

The Multi Step Form plugin for WordPress contains an arbitrary file upload vulnerability in versions up to and including 1.7.25. The flaw exists in the plugin's import functionality, which fails to properly validate uploaded file types. Authenticated attackers with Administrator-level access or above can upload arbitrary files to the affected site's server. This can lead to remote code execution on the underlying WordPress host. The issue is tracked as [CWE-434: Unrestricted Upload of File with Dangerous Type].

Critical Impact

Authenticated administrators can upload arbitrary PHP files through the form import feature, enabling remote code execution and full compromise of the WordPress server.

Affected Products

  • Multi Step Form plugin for WordPress, all versions through 1.7.25
  • Mondula GmbH mondula-form-wizard distribution
  • WordPress sites with the Multi Step Form plugin installed and activated

Discovery Timeline

  • 2025-09-06 - CVE-2025-9515 published to NVD
  • 2026-04-15 - Last updated in NVD database

Technical Details for CVE-2025-9515

Vulnerability Analysis

The vulnerability resides in the JSON import handler implemented in includes/admin/msf-admin.class.php. The plugin accepts uploaded files through the form import feature and only checks the reported MIME type returned by wp_check_filetype(). It does not verify the file extension or inspect the file contents for executable code. An authenticated administrator can submit a crafted upload that bypasses the weak MIME comparison and lands on disk. If the upload location is web-accessible, the attacker can request the file directly to trigger PHP execution. This produces full remote code execution under the WordPress process user.

Root Cause

The original import routine performed a single check against $file_type['type'] !== 'application/json' without validating the file extension or scanning content. Attackers controlling the request can manipulate MIME detection or supply polyglot files containing <?php tags. The patched code adds extension validation, PHP tag scanning, and structural JSON decoding before processing.

Attack Vector

Exploitation requires an authenticated session with Administrator privileges. The attacker navigates to the Multi Step Form import screen and submits a file containing PHP code with a JSON MIME header. Once written to disk, the file can be invoked through the web server to execute arbitrary commands. The high privilege requirement narrows the threat to scenarios involving credential theft, insider abuse, or compromise of a single admin account on multi-admin sites.

php
// Patched validation in includes/admin/msf-admin.class.php
// SECURITY FIX: Enhanced file validation while maintaining JSON upload functionality
$file_type = wp_check_filetype($uploaded['file'], array('json' => 'application/json'));
$file_extension = strtolower(pathinfo($uploaded['file'], PATHINFO_EXTENSION));

// Check both MIME type and file extension
if ($file_type['type'] !== 'application/json' || $file_extension !== 'json') {
    $this->notice('error', __('Only JSON files are allowed for import.', 'multi-step-form'));
    wp_delete_file($uploaded['file']); // Clean up uploaded file
    return;
}

// SECURITY FIX: Content validation to detect PHP code
$content = file_get_contents($uploaded['file']);
if (strpos($content, '<?php') !== false || strpos($content, '<?=') !== false || strpos($content, '<? ') !== false) {
    $this->notice('error', __('File contains PHP code and is not allowed for security reasons.', 'multi-step-form'));
    wp_delete_file($uploaded['file']); // Clean up uploaded file
    return;
}

// SECURITY FIX: Validate JSON structure
$json_data = json_decode($content, true);

Source: GitHub Commit 590f9ac

Detection Methods for CVE-2025-9515

Indicators of Compromise

  • Unexpected .php, .phtml, or .phar files inside the WordPress wp-content/uploads/ directory tree, particularly in folders created by the Multi Step Form plugin
  • Administrator account activity invoking the form import endpoint followed by direct web requests to newly created files
  • Outbound network connections from the PHP-FPM or web server process to unfamiliar hosts shortly after a successful import
  • WordPress audit log entries showing form import actions correlated with web shell access patterns

Detection Strategies

  • Inspect web access logs for POST requests to the Multi Step Form admin import handler, followed by GET requests to files in the uploads directory
  • Hash and compare files in the uploads directory against a baseline to identify newly introduced executable content
  • Enable WordPress administrative event logging to capture file import actions tied to admin user IDs
  • Scan stored uploads for the strings <?php, <?=, and <? to identify unauthorized PHP payloads

Monitoring Recommendations

  • Alert on creation or modification of PHP files under wp-content/uploads/ since this directory should not contain executable code
  • Monitor administrator logins from unusual geolocations or IP ranges, as exploitation requires admin credentials
  • Track child process creation from the PHP interpreter that spawns shells, curl, or wget commands
  • Forward WordPress and web server logs to a centralized analytics platform for correlation across hosts

How to Mitigate CVE-2025-9515

Immediate Actions Required

  • Update the Multi Step Form plugin to version 1.7.26 or later on every WordPress installation
  • Audit the wp-content/uploads/ directory for unauthorized PHP files and remove any found
  • Review administrator account inventory and rotate credentials for any account that may have been compromised
  • Enforce multi-factor authentication for all WordPress users with Administrator or Editor roles

Patch Information

Mondula GmbH released version 1.7.26 of the Multi Step Form plugin, which adds extension validation, PHP tag content scanning, and JSON structure verification in the import handler. The fix is documented in the GitHub Commit 590f9ac and the corresponding WordPress Plugin Changeset. Full details are available in the Wordfence Vulnerability Report.

Workarounds

  • Deactivate the Multi Step Form plugin until the site can be updated to version 1.7.26 or later
  • Configure the web server to deny execution of PHP files within wp-content/uploads/ using directory-level rules
  • Restrict Administrator role assignments to the minimum number of trusted personnel
  • Place the WordPress admin interface behind an IP allowlist or VPN to reduce exposure of the privileged import endpoint
bash
# Apache .htaccess example: block PHP execution in uploads directory
# Place in wp-content/uploads/.htaccess
<FilesMatch "\.(php|phtml|phar|php[0-9])$">
    Require all denied
</FilesMatch>

# Nginx equivalent: add to server block
# location ~* /wp-content/uploads/.*\.(php|phtml|phar|php[0-9])$ {
#     deny all;
#     return 403;
# }

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.