CVE-2025-11977 in Happyforms Plugin
Summary
by MITRE • 07/10/2026
The Happyforms – Form Builder for WordPress: Drag & Drop Contact Forms, Surveys, Payments & Multipurpose Forms plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.26.12 via the happyforms_get_form_partial() function. This makes it possible for authenticated attackers, with Administrator-level access and above, to include and execute arbitrary .php files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where .php file types can be uploaded and included.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 07/10/2026
The Happyforms plugin for WordPress presents a critical local file inclusion vulnerability that affects all versions up to and including 126.12. This vulnerability stems from improper input validation within the happyforms_get_form_partial() function which fails to sanitize user-supplied parameters before using them in file inclusion operations. The flaw exists at the core of how the plugin handles form partial rendering, creating a pathway for authenticated attackers with administrator privileges to manipulate file paths and execute arbitrary PHP code on the target server.
The technical implementation of this vulnerability allows an attacker to leverage their administrative access to construct malicious file paths that bypass normal file system restrictions. When the happyforms_get_form_partial() function processes user input without adequate sanitization, it directly incorporates unsanitized parameters into file inclusion statements, enabling attackers to specify any local file path that the web server can access. This creates a direct code execution vector where PHP files stored on the server can be included and executed with the privileges of the web application, potentially allowing full compromise of the WordPress installation.
The operational impact of this vulnerability extends beyond simple code execution capabilities as it fundamentally undermines the security model of the WordPress platform. Attackers can use this vulnerability to bypass access controls that should normally protect sensitive system files, database credentials, or configuration settings. The ability to include and execute arbitrary PHP code means that compromised systems could be used to establish persistent backdoors, exfiltrate data, or deploy additional malicious payloads. In environments where the plugin allows php file uploads, attackers could even upload malicious files and then include them through this vulnerability to achieve immediate code execution.
Security mitigation strategies should focus on immediate patching of the vulnerable plugin to version 1.26.13 or later which contains the necessary input validation fixes. Organizations should also implement network segmentation and access controls to limit administrative privileges to only essential personnel, while monitoring for unusual file inclusion patterns in web server logs. The vulnerability aligns with CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) and represents a classic path traversal attack vector that can be addressed through proper input validation and the principle of least privilege. Additionally, implementing Web Application Firewall rules to detect and block suspicious file inclusion patterns can provide defense-in-depth protection against exploitation attempts.
This vulnerability demonstrates the critical importance of validating all user inputs in web applications and highlights how seemingly minor flaws in file handling functions can create severe security implications. The attack surface becomes particularly dangerous when combined with other vulnerabilities or misconfigurations that might allow privilege escalation, as demonstrated by the requirement for administrator-level access to exploit this specific weakness. Organizations should conduct comprehensive security assessments of all WordPress plugins and themes to identify similar vulnerabilities that could be exploited through authenticated sessions, ensuring that proper input sanitization is implemented throughout the application codebase.