Description
The Gravity Forms plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the copy_post_image() function in all versions up to, and including, 2.9.20. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. This only impacts sites that have allow_url_fopen set to `On`, the post creation form enabled along with a file upload field for the post
Published: 2025-11-07
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

The plugin omits file‑type checks in copy_post_image(), letting any file be stored on the server. An unauthenticated attacker can then place executable code or other malicious files, creating a pathway to remote code execution. The flaw is a classic file‑upload vulnerability (CWE‑434).

Affected Systems

Any WordPress site running Gravity Forms version 2.9.20 or earlier is affected. The risk materializes only when allow_url_fopen is enabled, the public post‑creation form is active, and that form contains a file‑upload field. Sites that have disabled the form or turned off allow_url_fopen are not directly exploitable.

Risk and Exploitability

The severity is high with a CVSS score of 9.8, but the EPSS score of <1% indicates that exploitation is presently unlikely on a large scale, and the vulnerability is not listed in the CISA KEV catalog. Because the flaw is user‑controlled and requires no authentication, the attack vector is likely a simple HTTP request to the front‑end form, potentially accompanied by a crafted URL that injects a malicious file. Enforcing proper file‑type validation would close the window for malicious uploads.

Generated by OpenCVE AI on April 22, 2026 at 12:02 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Gravity Forms release (2.9.21 or later) to remove the vulnerable function.
  • Disable allow_url_fopen in the PHP configuration or set allow_url_fopen=Off for the WordPress environment.
  • Remove or lock down any public post‑creation forms that include file‑upload fields until the patch is applied.
  • Implement server‑side file‑type checks or use a security plugin to restrict uploads to trusted MIME types.

Generated by OpenCVE AI on April 22, 2026 at 12:02 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 07 Nov 2025 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 07 Nov 2025 11:00:00 +0000

Type Values Removed Values Added
First Time appeared Gravityforms
Gravityforms gravity Forms
Wordpress
Wordpress wordpress
Vendors & Products Gravityforms
Gravityforms gravity Forms
Wordpress
Wordpress wordpress

Fri, 07 Nov 2025 04:45:00 +0000

Type Values Removed Values Added
Description The Gravity Forms plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the copy_post_image() function in all versions up to, and including, 2.9.20. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. This only impacts sites that have allow_url_fopen set to `On`, the post creation form enabled along with a file upload field for the post
Title Gravity Forms <= 2.9.20 - Unauthenticated Arbitrary File Upload via 'copy_post_image'
Weaknesses CWE-434
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Gravityforms Gravity Forms
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:48:54.150Z

Reserved: 2025-10-27T15:06:41.806Z

Link: CVE-2025-12352

cve-icon Vulnrichment

Updated: 2025-11-07T17:41:14.950Z

cve-icon NVD

Status : Deferred

Published: 2025-11-07T05:15:57.163

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-12352

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T12:15:16Z

Weaknesses