Volerion logoVolerion
Volerion logoVolerion

Gravity Forms WordPress Plugin Unauthenticated Remote Code Execution Vulnerability via Arbitrary File Upload

Vulnerability

A vulnerability in the Gravity Forms WordPress plugin, affecting versions prior to 2.9.23.1, allows for unauthenticated arbitrary file uploads. The plugin's chunked upload feature does not adequately restrict users from uploading potentially harmful files, such as PHP scripts. This flaw could be exploited to achieve remote code execution on the affected site, provided the attacker can identify or enumerate the upload path.

Impact

Exploitation of this vulnerability allows for remote code execution on the affected WordPress site.

Reproduction

To reproduce this vulnerability, upload a form with a file upload field enabled for multi-file uploads. Afterward, use a script to upload a PHP file in two chunks through the plugin's chunked upload functionality. The uploaded file can then be accessed via the WordPress uploads directory.

Remediation

Users are advised to update the Gravity Forms WordPress plugin to version 2.9.23.1 or later.

Added: Dec 24, 2025, 6:17 AM
Updated: Dec 24, 2025, 6:17 AM

Vulnerability Rating

Custom Algorithm
spread
5.2
impact
10.0
exploitability
7.8
remediation
7.7
relevance
1.7
threat
6.4
urgency
2.9
incentive
1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.