PatchSiren cyber security CVE debrief
CVE-2025-11977 happyforms CVE debrief
The Happyforms – Form Builder for WordPress: Drag & Drop Contact Forms, Surveys, Payments & Multipurpose Forms plugin for WordPress is vulnerable to Local File Inclusion. Authenticated attackers with Administrator-level access can include and execute arbitrary .php files on the server, allowing PHP code execution. This vulnerability has a CVSS score of 6.6 and is classified as MEDIUM severity. The vulnerability exists in all versions up to, and including, 1.26.12 via the happyforms_get_form_partial() function.
- Vendor
- happyforms
- Product
- Happyforms – Form Builder for WordPress: Drag & Drop Contact Forms, Surveys, Payments & Multipurpose Forms
- CVSS
- MEDIUM 6.6
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-10
- Original CVE updated
- 2026-07-10
- Advisory published
- 2026-07-10
- Advisory updated
- 2026-07-10
Who should care
Administrators of WordPress sites using the Happyforms plugin, especially those allowing Administrator-level access, should prioritize updating to a patched version. Site owners and security teams should review the official advisory and assess their exposure to this vulnerability.
Technical summary
The Happyforms plugin for WordPress is vulnerable to Local File Inclusion via the happyforms_get_form_partial() function. This allows authenticated attackers with Administrator-level access to include and execute arbitrary .php files on the server, enabling PHP code execution. The vulnerability has a CVSS score of 6.6 and is classified as MEDIUM severity. Affected deployments should prioritize updates beyond version 1.26.12 and restrict Administrator-level access. Additional security measures, such as Web Application Firewalls (WAFs), should be considered to mitigate potential impacts. Evidence is limited to public sources and may not reflect the full scope or impact of the vulnerability. Defenders should verify affected deployments and review official advisories for specific guidance on remediation and compensating controls.
Defensive priority
High priority for WordPress administrators, especially those with active plugins and high-privileged user accounts.
Recommended defensive actions
- Update the Happyforms plugin to a version beyond 1.26.12.
- Restrict Administrator-level access to necessary personnel.
- Monitor server logs for suspicious .php file inclusions.
- Implement additional security measures such as Web Application Firewalls (WAFs).
- Review compensating controls for exposed systems while remediation is scheduled and verified.
- Check relevant monitoring, detection, and logs for exposed assets that need extra review.
- Track exceptions, retest remediated assets, and close the item only after evidence is documented.
Evidence notes
The CVE record was published on 2026-07-10T09:16:51.153Z and last modified on 2026-07-10T11:16:31.447Z. The vulnerability has a CVSS score of 6.6 and is classified as MEDIUM severity. Evidence is limited to public sources and may not reflect the full scope or impact of the vulnerability. Defenders should verify affected deployments and review official advisories for specific guidance.
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-10T09:16:51.153Z and has not been modified since then.