CVE-2025-2801: 
WordPress vulnerability analysis and mitigation

CVE-2025-2801 affects the Create custom forms for WordPress plugin (ABCSubmit) up to version 1.2.4, discovered and disclosed on April 26, 2025. The vulnerability allows unauthenticated attackers to execute arbitrary shortcodes due to improper validation in the plugin's functionality (NVD CVE, Wiz Report).

The vulnerability stems from the plugin's failure to properly validate values before executing the do_shortcode function. It has been classified as CWE-94 (Improper Control of Generation of Code) and assigned a CVSS v3.1 Base Score of 7.3 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L (NVD CVE, Wordfence Advisory).

The vulnerability enables unauthenticated attackers to execute arbitrary shortcodes, which could potentially lead to unauthorized actions and compromise of the WordPress site's security. The impact affects confidentiality, integrity, and availability of the system, as indicated by the CVSS scoring (Wiz Report).

Users are advised to disable and remove the plugin until a security fix is available. The plugin has been temporarily closed for a full security review as of April 24, 2025 (WordPress Plugin).