CVE-2025-23921

CVE-2025-23921 is an Unrestricted Upload of File with Dangerous Type vulnerability (CWE-434) in the sh1zen Multi Uploader for Gravity Forms plugin (gf-multi-uploader) for WordPress. Published on 2025-01-22, it affects all versions up to and including 1.1.3 and enables attackers to upload a web shell to the web server. The vulnerability carries a CVSS v3.1 base score of 9.0 (AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H), indicating critical severity due to its potential for high-impact confidentiality, integrity, and availability effects across a changed scope.

Remote attackers require no privileges or user interaction but must overcome high attack complexity to exploit this over the network. Successful exploitation allows uploading malicious files, such as web shells, granting attackers remote code execution on the server and potentially full compromise of the affected WordPress site.

Patchstack advisories provide details on this arbitrary file upload vulnerability in Multi Uploader for Gravity Forms version 1.1.3; security practitioners should review https://patchstack.com/database/Wordpress/Plugin/gf-multi-uploader/vulnerability/wordpress-multi-uploader-for-gravity-forms-plugin-1-1-3-arbitrary-file-upload-vulnerability?_s_id=cve for mitigation recommendations, including patching to a fixed version if available.