Description
The Gravity Forms plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the legacy chunked upload mechanism in all versions up to, and including, 2.9.21.1. This is due to the extension blacklist not including .phar files, which can be uploaded through the chunked upload mechanism. This makes it possible for unauthenticated attackers to upload executable .phar files and achieve remote code execution on the server, granted they can discover or enumerate the upload path. In order for an attacker to achieve RCE, the web server needs to be set up to process .phar file as PHP via file handler mapping or similar.
Published: 2025-11-18
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

Gravity Forms, a popular WordPress plugin, is vulnerable to arbitrary file uploads because the legacy chunked upload mechanism performs no file type validation. The extension blacklist mistakenly excludes .phar files, allowing an attacker to upload a .phar payload, which can contain PHP code. If the web server is configured to process .phar files as PHP, the attacker can execute code directly on the server, compromising confidentiality, integrity, and availability.

Affected Systems

The vulnerability affects all users of Gravity Forms versions up to and including 2.9.21.1 running on WordPress sites. The attack surface includes the upload path that the chunked upload routine uses; discovery or enumeration of this path is required for exploitation.

Risk and Exploitability

The CVSS score of 8.1 indicates a high severity flaw. The EPSS score of less than 1% suggests that exploitation is unlikely at present, but the lack of a KEV listing does not negate the need for remediation. Attackers could exploit the flaw from any network position without authentication, provided they can find the upload directory, and the server is configured to execute .phar files.

Generated by OpenCVE AI on April 21, 2026 at 18:19 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Gravity Forms to a later version that removes or corrects the legacy chunked upload mechanism, if such an update is available.
  • If an update is not immediately possible, disable legacy chunked uploads or rename the upload directory to a location that is not served by the web server, thereby preventing remote write access.
  • Configure the web server to explicitly deny execution of .phar files or block the .phar extension using .htaccess or server configuration directives.

Generated by OpenCVE AI on April 21, 2026 at 18:19 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 19 Nov 2025 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 18 Nov 2025 09:15:00 +0000

Type Values Removed Values Added
First Time appeared Gravityforms
Gravityforms gravity Forms
Wordpress
Wordpress wordpress
Vendors & Products Gravityforms
Gravityforms gravity Forms
Wordpress
Wordpress wordpress

Tue, 18 Nov 2025 03:45:00 +0000

Type Values Removed Values Added
Description The Gravity Forms plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the legacy chunked upload mechanism in all versions up to, and including, 2.9.21.1. This is due to the extension blacklist not including .phar files, which can be uploaded through the chunked upload mechanism. This makes it possible for unauthenticated attackers to upload executable .phar files and achieve remote code execution on the server, granted they can discover or enumerate the upload path. In order for an attacker to achieve RCE, the web server needs to be set up to process .phar file as PHP via file handler mapping or similar.
Title Gravity Forms <= 2.9.21.1 - Unauthenticated Arbitrary File Upload via Legacy Chunked Upload
Weaknesses CWE-434
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Gravityforms Gravity Forms
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:17:23.000Z

Reserved: 2025-11-10T18:28:03.944Z

Link: CVE-2025-12974

cve-icon Vulnrichment

Updated: 2025-11-18T15:04:02.455Z

cve-icon NVD

Status : Deferred

Published: 2025-11-18T04:15:43.583

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-12974

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T18:30:27Z

Weaknesses