Description
The Gravity Forms WordPress plugin before 2.9.23.1 does not properly prevent users from uploading dangerous files through its chunked upload functionality, allowing attackers to upload PHP files to affected sites and achieve Remote Code Execution, granted they can discover or enumerate the upload path.
Published: 2025-12-24
Score: 6.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

No analysis available yet.

Remediation

No remediation available yet.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 29 Dec 2025 23:15:00 +0000

Type Values Removed Values Added
First Time appeared Gravityforms
Gravityforms gravity Forms
Wordpress
Wordpress wordpress
Vendors & Products Gravityforms
Gravityforms gravity Forms
Wordpress
Wordpress wordpress

Wed, 24 Dec 2025 17:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.8, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Wed, 24 Dec 2025 06:15:00 +0000

Type Values Removed Values Added
Description The Gravity Forms WordPress plugin before 2.9.23.1 does not properly prevent users from uploading dangerous files through its chunked upload functionality, allowing attackers to upload PHP files to affected sites and achieve Remote Code Execution, granted they can discover or enumerate the upload path.
Title GravityForms < 2.9.23.1 - Unauthenticated Arbitrary File Upload
References

Subscriptions

Gravityforms Gravity Forms
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: WPScan

Published:

Updated: 2025-12-24T16:39:08.316Z

Reserved: 2025-11-19T14:15:25.528Z

Link: CVE-2025-13407

cve-icon Vulnrichment

Updated: 2025-12-24T16:39:04.028Z

cve-icon NVD

Status : Deferred

Published: 2025-12-24T06:15:43.973

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-13407

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2025-12-29T22:34:40Z

Weaknesses

No weakness.