CVE-2025-12974 HIGH

CVE-2025-12974: Gravity Forms <= 2.9.21.1 - Unauthenticated Arbitrary File Upload via Legacy Chunked Upload

Vendor Gravity Forms
Product Gravity Forms
Weakness CWE-434 · Unrestricted file upload
Published November 18, 2025
Last update April 8, 2026

CVSS base score

8.1/10
Attack vector Network
Attack complexity High
Privileges required None
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

The Gravity Forms plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the legacy chunked upload mechanism in all versions up to, and including, 2.9.21.1. This is due to the extension blacklist not including .phar files, which can be uploaded through the chunked upload mechanism. This makes it possible for unauthenticated attackers to upload executable .phar files and achieve remote code execution on the server, granted they can discover or enumerate the upload path. In order for an attacker to achieve RCE, the web server needs to be set up to process .phar file as PHP via file handler mapping or similar.

Explanation of Vulnerability in Simple Terms

02Summary

Gravity Forms versions up to 2.9.21.1 contain an unrestricted file upload vulnerability. An attacker can upload malicious files to the server without proper validation, potentially leading to remote code execution. This affects all installations of the affected versions. Update to a version newer than 2.9.21.1 immediately.

What an attacker can do

03Attacker Capabilities

Upload malicious files to your server and execute arbitrary code.

Potential impact on your site

04Site Impact

Attackers can gain full control of your site by uploading and executing malicious code.

Conditions required to exploit

05Prerequisites

Network access to the Gravity Forms upload endpoint; no authentication required.

Key dates

06Disclosure timeline

November 18, 2025 CVE published
April 8, 2026 Record updated