CVE-2025-11087

Name of the Vulnerable Software and Affected Versions Zegen Core versions prior to 2.0.1

Description The Zegen Core plugin for WordPress is susceptible to a Cross-Site Request Forgery (CSRF) issue leading to Arbitrary File Upload. This is caused by a lack of nonce validation and file type validation within the /custom-font-code/custom-fonts-uploads.php file. An unauthenticated attacker could potentially upload arbitrary files to the server by exploiting this flaw, potentially leading to remote code execution if a site administrator is tricked into performing an action.

Recommendations Update Zegen Core to a version newer than 2.0.1.