Description
Unrestricted Upload of File with Dangerous Type vulnerability in sh1zen Multi Uploader for Gravity Forms gf-multi-uploader allows Upload a Web Shell to a Web Server.This issue affects Multi Uploader for Gravity Forms: from n/a through <= 1.1.3.
Published: 2025-01-22
Score: 9 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability in the sh1zen Multi Uploader for Gravity Forms plugin allows an attacker with web access to upload files of arbitrary type. This weakness, identified as CWE‑434, permits the upload of a web shell to the server, granting the attacker the ability to execute arbitrary code and potentially compromise the entire site’s integrity and confidentiality.

Affected Systems

The affected product is sh1zen Multi Uploader for Gravity Forms, specifically all releases from the initial version up to and including 1.1.3. Users of any pre‑1.1.4 build are potentially impacted and should review their installation version.

Risk and Exploitability

The CVSS base score of 9.0 reflects the severe risk of remote code execution. However, the EPSS score of less than 1% indicates a very low probability that the flaw will be actively exploited at this time, and the flaw has not yet been listed in the CISA KEV catalog. Attackers would likely exploit the flaw by uploading a malicious file via the plugin’s file upload interface, which is accessible to any authenticated or potentially unauthenticated user depending on site configuration. Because the flaw permits arbitrary file types, the risk remains high once exploited.

Generated by OpenCVE AI on May 1, 2026 at 19:30 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Multi Uploader for Gravity Forms to the latest version that removes the arbitrary file upload flaw (e.g., 1.1.4 or newer).
  • If an upgrade cannot be applied immediately, configure the plugin or WordPress to accept only safe file extensions and MIME types, effectively blocking dangerous file uploads.
  • Consider disabling or limiting the upload feature entirely until a secure patch is applied to prevent any potential exploitation.

Generated by OpenCVE AI on May 1, 2026 at 19:30 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-3536 Unrestricted Upload of File with Dangerous Type vulnerability in NotFound Multi Uploader for Gravity Forms allows Upload a Web Shell to a Web Server. This issue affects Multi Uploader for Gravity Forms: from n/a through 1.1.3.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Unrestricted Upload of File with Dangerous Type vulnerability in NotFound Multi Uploader for Gravity Forms allows Upload a Web Shell to a Web Server. This issue affects Multi Uploader for Gravity Forms: from n/a through 1.1.3. Unrestricted Upload of File with Dangerous Type vulnerability in sh1zen Multi Uploader for Gravity Forms gf-multi-uploader allows Upload a Web Shell to a Web Server.This issue affects Multi Uploader for Gravity Forms: from n/a through <= 1.1.3.
References
Metrics cvssV3_1

{'score': 9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H'}

Wed, 22 Jan 2025 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 22 Jan 2025 14:45:00 +0000

Type Values Removed Values Added
Description Unrestricted Upload of File with Dangerous Type vulnerability in NotFound Multi Uploader for Gravity Forms allows Upload a Web Shell to a Web Server. This issue affects Multi Uploader for Gravity Forms: from n/a through 1.1.3.
Title WordPress Multi Uploader for Gravity Forms plugin <= 1.1.3 - Arbitrary File Upload vulnerability
Weaknesses CWE-434
References
Metrics cvssV3_1

{'score': 9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-05-11T23:06:42.260Z

Reserved: 2025-01-16T11:32:12.976Z

Link: CVE-2025-23921

cve-icon Vulnrichment

Updated: 2025-01-22T21:31:42.842Z

cve-icon NVD

Status : Deferred

Published: 2025-01-22T15:15:25.547

Modified: 2026-04-23T15:24:47.130

Link: CVE-2025-23921

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T19:30:23Z

Weaknesses