CVE-2025-12352

9.8 CRITICAL

Published: November 07, 2025 Modified: November 12, 2025

Description

The Gravity Forms plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the copy_post_image() function in all versions up to, and including, 2.9.20. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. This only impacts sites that have allow_url_fopen set to `On`, the post creation form enabled along with a file upload field for the post

AI Explanation

Get an AI-powered plain-language explanation of this vulnerability and remediation steps.

Login to generate AI explanation

CVSS v3.x Details

0.0 Low Medium High Critical 10.0

Vector String

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References to Advisories, Solutions, and Tools

Patch Vendor Advisory Exploit Third Party Advisory

https://github.com/pronamic/gravityforms/blob/06de1b7e169e4f073e9d0d491e17b89365b48c20/forms_model.php#L5451C26-L5451C41

Source: security@wordfence.com

https://github.com/pronamic/gravityforms/blob/06de1b7e169e4f073e9d0d491e17b89365b48c20/includes/fields/class-gf-field-fileupload.php#L306

Source: security@wordfence.com

https://www.wordfence.com/threat-intel/vulnerabilities/id/42525101-6196-40b9-90e7-c7f1886ef247?source=cve

Source: security@wordfence.com

3 reference(s) from NVD

Quick Stats

CVSS v3 Score

9.8 / 10.0

EPSS (Exploit Probability)

0.2%

40th percentile

Exploitation Status

Not in CISA KEV

Weaknesses (CWE)

CWE-434

Related CVEs

CVE-2025-52691 10.0

CVE-2025-15168 7.3

CVE-2025-15167 7.3

CVE-2025-15166 7.3

CVE-2025-15165 7.3