cleantalk
Vulnerabilities and Security Researches

Tablesome – Responsive Table, Email Log, Form Automation – Contact Form 7, Elementor, WPForms, Gravity Forms, Fluen, CVE-2025-11499

CVE, Research URL

CVE-2025-11499

Home page URL

Security reports for Tablesome – Responsive Table, Email Log, Form Automation – Contact Form 7, Elementor, WPForms, Gravity Forms, Fluen

Application

Tablesome – Responsive Table, Email Log, Form Automation – Contact Form 7, Elementor, WPForms, Gravity Forms, Fluen

Published on
Nov 01, 2025
Research Description
The Tablesome Table – Contact Form DB – WPForms, CF7, Gravity, Forminator, Fluent plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the set_featured_image_from_external_url() function in all versions up to, and including, 1.1.32. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible in configurations where unauthenticated users have been provided with a method for adding featured images, and the workflow trigger is created.
Affected versions
max 1.3.33.
Status
vulnerable
Previous vulnerability researches
LearnPress Export Import – WordPress extension for LearnPress (CVE-2024-32588) , Jun 07, 2024
LearnPress Export Import – WordPress extension for LearnPress (CVE-2024-31241) , Jun 07, 2024
LearnPress Export Import – WordPress extension for LearnPress (CVE-2023-30487) , Jun 07, 2024
LearnPress Export Import – WordPress extension for LearnPress (CVE-2025-60200) , Nov 10, 2025
LearnPress Export Import – WordPress extension for LearnPress (CVE-2025-49992) , Nov 10, 2025
New vulnerability
WPC Smart Messages for WooCommerce (CVE-2025-62903) , Nov 11, 2025
Popular Posts by Webline (CVE-2025-62900) , Nov 11, 2025
Simple Youtube Shortcode (CVE-2025-11811) , Nov 11, 2025
Open Currency Converter (CVE-2025-62939) , Nov 11, 2025
Cookie Notice & Consent (CVE-2025-10496) , Nov 11, 2025