Gravity Forms WordPress Plugin Arbitrary File Upload Vulnerability Allowing Remote Code Execution

A vulnerability in the Gravity Forms plugin for WordPress, present in all versions through 2.9.21.1, allows for arbitrary file uploads. This issue arises from inadequate file type validation in the legacy chunked upload mechanism, specifically because the extension blacklist does not include .phar files. Unauthenticated attackers can exploit this to upload executable .phar files, potentially leading to remote code execution on the server, provided they can identify or enumerate the upload path. For remote code execution to be successful, the web server must be configured to process .phar files as PHP.

Impact

Exploitation of this vulnerability allows for unauthenticated arbitrary file uploads, with the potential for remote code execution on the server if the uploaded .phar files are executed as PHP.

Reproduction

The vulnerability can be reproduced by uploading a file through the legacy chunked upload mechanism of the Gravity Forms plugin, using a file with a .phar extension. This can be done without authentication, as the upload process does not validate the file type against the extension blacklist, which fails to account for .phar files. Once the .phar file is uploaded, remote code execution can be achieved if the web server is configured to execute .phar files as PHP.

Remediation

Users are advised to update the Gravity Forms plugin to version 2.9.22 or a newer patched version.