CVE-2025-24775: 
WordPress vulnerability analysis and mitigation

The vulnerability (CVE-2025-24775) is an Arbitrary File Upload vulnerability discovered in Made I.T. Forms WordPress plugin versions up to 2.9.0. The vulnerability was discovered by Martino Spagnuolo (r3verii) and was publicly disclosed on August 13, 2025. The issue affects all versions of the Forms plugin through version 2.9.0, with no official fix currently available (Patchstack).

The vulnerability allows for unrestricted upload of files with dangerous types, potentially enabling attackers to upload web shells to the web server. The vulnerability has been assigned a CVSS v3.1 score of 9.9 (Critical) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H. The vulnerability is classified under CWE-434 (Unrestricted Upload of File with Dangerous Type) (Patchstack).

The vulnerability could allow malicious actors to upload any type of file to the affected website, including backdoors which can then be executed to gain further access to the website. Given the CVSS score of 9.9, this represents a critical security risk with potential for complete system compromise (Patchstack).

Currently, there is no official fix available for this vulnerability. However, Patchstack has issued a virtual patch to mitigate this issue by blocking any attacks until an official fix becomes available. Website administrators are advised to implement the Patchstack mitigation immediately (Patchstack).