PatchSiren

PatchSiren cyber security CVE debrief

CVE-2025-11977 happyforms CVE debrief

The Happyforms – Form Builder for WordPress: Drag & Drop Contact Forms, Surveys, Payments & Multipurpose Forms plugin for WordPress is vulnerable to Local File Inclusion. Authenticated attackers with Administrator-level access can include and execute arbitrary .php files on the server, allowing PHP code execution. This vulnerability has a CVSS score of 6.6 and is classified as MEDIUM severity. The vulnerability exists in all versions up to, and including, 1.26.12 via the happyforms_get_form_partial() function.

Vendor
happyforms
Product
Happyforms – Form Builder for WordPress: Drag & Drop Contact Forms, Surveys, Payments & Multipurpose Forms
CVSS
MEDIUM 6.6
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-10
Original CVE updated
2026-07-10
Advisory published
2026-07-10
Advisory updated
2026-07-10

Who should care

Administrators of WordPress sites using the Happyforms plugin, especially those allowing Administrator-level access, should prioritize updating to a patched version. Site owners and security teams should review the official advisory and assess their exposure to this vulnerability.

Technical summary

The Happyforms plugin for WordPress is vulnerable to Local File Inclusion via the happyforms_get_form_partial() function. This allows authenticated attackers with Administrator-level access to include and execute arbitrary .php files on the server, enabling PHP code execution. The vulnerability has a CVSS score of 6.6 and is classified as MEDIUM severity. Affected deployments should prioritize updates beyond version 1.26.12 and restrict Administrator-level access. Additional security measures, such as Web Application Firewalls (WAFs), should be considered to mitigate potential impacts. Evidence is limited to public sources and may not reflect the full scope or impact of the vulnerability. Defenders should verify affected deployments and review official advisories for specific guidance on remediation and compensating controls.

Defensive priority

High priority for WordPress administrators, especially those with active plugins and high-privileged user accounts.

Recommended defensive actions

  • Update the Happyforms plugin to a version beyond 1.26.12.
  • Restrict Administrator-level access to necessary personnel.
  • Monitor server logs for suspicious .php file inclusions.
  • Implement additional security measures such as Web Application Firewalls (WAFs).
  • Review compensating controls for exposed systems while remediation is scheduled and verified.
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review.
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented.

Evidence notes

The CVE record was published on 2026-07-10T09:16:51.153Z and last modified on 2026-07-10T11:16:31.447Z. The vulnerability has a CVSS score of 6.6 and is classified as MEDIUM severity. Evidence is limited to public sources and may not reflect the full scope or impact of the vulnerability. Defenders should verify affected deployments and review official advisories for specific guidance.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-10T09:16:51.153Z and has not been modified since then.