CVE-2025-9515

Source
https://cve.org/CVERecord?id=CVE-2025-9515
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-9515.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2025-9515
Published
2025-09-06T02:24:17.551Z
Modified
2026-07-08T07:54:29.605433572Z
Severity
  • 7.2 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
Multi Step Form <= 1.7.25 - Authenticated (Admin+) Arbitrary File Upload
Details

The Multi Step Form plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation via the import functionality in all versions up to, and including, 1.7.25. This makes it possible for authenticated attackers, with Administrator-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/9xxx/CVE-2025-9515.json",
    "cna_assigner": "Wordfence",
    "cwe_ids": [
        "CWE-434"
    ]
}
References

Affected packages

Git / github.com/mlooft/multi-step-form

Affected ranges

Type
GIT
Repo
https://github.com/mlooft/multi-step-form
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Database specific
{
    "source": [
        "AFFECTED_FIELD",
        "REFERENCES"
    ],
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "1.7.25"
        }
    ]
}

Affected versions

1.*
1.0.5
1.1.0
1.1.1
1.1.2
1.1.3
1.1.4
1.1.6
1.1.7
1.2.0
1.2.1
1.2.2
1.2.3
1.2.4
1.2.5
1.2.7
1.2.8
1.2.9
1.3.0
1.3.1
1.3.2
1.3.3
1.4.0
1.4.1
1.5.1
1.5.2
1.5.3
1.5.4
1.5.5
1.5.6
1.6.0
1.6.1
1.7.0
1.7.1
1.7.10
1.7.11
1.7.12
1.7.13
1.7.14
1.7.15
1.7.16
1.7.17
1.7.18
1.7.19
1.7.2
1.7.20
1.7.21
1.7.22
1.7.23
1.7.24
1.7.25
1.7.3
1.7.4
1.7.5
1.7.6
1.7.7
1.7.8
1.7.9
v1.*
v1.0.0
v1.0.1
v1.0.3
v1.0.4
v1.0.7
v1.0.8

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-9515.json"