CVE-2025-12352
Published: 07 November 2025
Description
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Security Summary
CVE-2025-12352 is an arbitrary file upload vulnerability in the Gravity Forms plugin for WordPress, affecting all versions up to and including 2.9.20. The flaw arises from missing file type validation in the copy_post_image() function, allowing attackers to upload arbitrary files to the affected site's server. Published on 2025-11-07, it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and maps to CWE-434 (Unrestricted Upload of File with Dangerous Type).
Unauthenticated attackers can exploit this vulnerability over the network with low complexity and no user interaction. Successful exploitation enables arbitrary file uploads, which may lead to remote code execution on the server. This impacts only sites where allow_url_fopen is set to On, the post creation form is enabled, and that form includes a file upload field.
References include GitHub code excerpts from the Gravity Forms repository highlighting the vulnerable lines in forms_model.php (L5451C26-L5451C41) and class-gf-field-fileupload.php (L306), along with a Wordfence threat intelligence advisory (ID 42525101-6196-40b9-90e7-c7f1886ef247).
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Unauthenticated arbitrary file upload vulnerability in public-facing WordPress plugin directly enables exploitation of public-facing applications (T1190), potentially leading to RCE.