CVE-2025-14344

CVE-2025-14344 is a path traversal vulnerability (CWE-22) in the Multi Uploader for Gravity Forms plugin for WordPress, affecting all versions up to and including 1.1.7. The issue stems from insufficient file path validation in the 'plupload_ajax_delete_file' function, enabling arbitrary file deletion on the server. Published on 2025-12-12, it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), reflecting its critical severity due to high impacts across confidentiality, integrity, and availability.

Unauthenticated attackers can exploit this vulnerability remotely over the network with low attack complexity and no user interaction or privileges required. By crafting malicious requests to the affected function, they can delete arbitrary files on the web server, potentially disrupting services, destroying data, or enabling further compromise through targeted deletions such as configuration files or backups.

Mitigation details are available in referenced advisories, including the Wordfence threat intelligence page (https://www.wordfence.com/threat-intel/vulnerabilities/id/346af237-0411-4cc4-9544-eab697385a2f?source=cve), the plugin's vulnerable code at lines 41-43 in GFMUHandlePluploader.class.php (https://plugins.trac.wordpress.org/browser/gf-multi-uploader/tags/1.1.7/inc/GFMUHandlePluploader.class.php?marks=41-43#L41), and WordPress plugin trac changeset 3421317 (https://plugins.trac.wordpress.org/changeset/3421317/), which addresses the flaw. Security practitioners should update to a version beyond 1.1.7 and review access to the plugin's AJAX endpoints.