Primary

Context

Gravity Forms WordPress Plugin Unauthenticated Arbitrary File Upload Vulnerability

Vulnerability

Patched

A vulnerability in the Gravity Forms plugin for WordPress allows for arbitrary file uploads. This issue arises from inadequate file type validation in the 'copy_post_image()' function, affecting all versions up to and including 2.9.20. The vulnerability enables unauthenticated attackers to upload arbitrary files to the server of the affected site, potentially leading to remote code execution. This issue only impacts sites with 'allow_url_fopen' enabled, the post creation form active, and a file upload field included in the form.

Impact

Exploitation of this vulnerability could result in unauthorized file uploads, with the potential for remote code execution on the affected server.

Remediation

Users are advised to update the Gravity Forms plugin to version 2.9.21 or a newer patched version.

Added: Nov 7, 2025, 5:20 AM

Updated: Nov 7, 2025, 5:20 AM

Vulnerability Rating

Custom Algorithm

spread

5.2

impact

10.0

exploitability

9.0

remediation

7.7

relevance

1.0

threat

3.2

urgency

2.9

incentive

10.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

5.2

impact

10.0

exploitability

9.0

remediation

7.7

relevance

1.0

threat

3.2

urgency

2.9

incentive

10.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Gravity Forms WordPress Plugin Unauthenticated Arbitrary File Upload Vulnerability

Vulnerability

Impact

Remediation

Affected Products

Gravity Forms

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating