Cyber Posture

CVE-2025-12974

High

Published: 18 November 2025

Published
18 November 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0023 45.6th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Description

The Gravity Forms plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the legacy chunked upload mechanism in all versions up to, and including, 2.9.21.1. This is due to the extension blacklist not…

more

including .phar files, which can be uploaded through the chunked upload mechanism. This makes it possible for unauthenticated attackers to upload executable .phar files and achieve remote code execution on the server, granted they can discover or enumerate the upload path. In order for an attacker to achieve RCE, the web server needs to be set up to process .phar file as PHP via file handler mapping or similar.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Patching the Gravity Forms plugin to versions beyond 2.9.21.1 directly remediates the missing file type validation in the chunked upload mechanism.

SI-10 Information Input Validation good match
prevent

Enforces validation of file types during uploads to block dangerous extensions like .phar that bypass the inadequate blacklist.

SI-3 Malicious Code Protection partial match
preventdetect

Malicious code protection mechanisms at upload entry points scan and block executable .phar files attempting remote code execution.

Security SummaryAI

CVE-2025-12974 affects the Gravity Forms plugin for WordPress in all versions up to and including 2.9.21.1. The vulnerability stems from missing file type validation in the legacy chunked upload mechanism, where the extension blacklist does not include .phar files. This allows arbitrary file uploads, as .phar files can be submitted through the chunked upload process.

Unauthenticated attackers can exploit this vulnerability remotely, though it requires high attack complexity. By discovering or enumerating the upload path, they can upload executable .phar files. Remote code execution is achievable if the web server is configured to process .phar files as PHP via file handler mapping or similar mechanisms. The issue carries a CVSS v3.1 base score of 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-434 (Unrestricted Upload of File with Dangerous Type).

Mitigation details are available in the Gravity Forms changelog at https://docs.gravityforms.com/gravityforms-change-log/. Relevant code locations include common/common.php at line 4178 and includes/upload.php at line 97 in the plugin's GitHub repository. Additional analysis is provided in Wordfence's threat intelligence report at https://www.wordfence.com/threat-intel/vulnerabilities/id/b6395439-da45-4b64-8e30-b106dffd46c1?source=cve. Security practitioners should update to patched versions beyond 2.9.21.1.

Details

CWE(s)
CWE-434

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
Why these techniques?

The vulnerability enables unauthenticated attackers to exploit a public-facing WordPress plugin via arbitrary file upload leading to potential RCE, directly mapping to T1190: Exploit Public-Facing Application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References