Multi Uploader for Gravity Forms

9.8 / 10

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Description

The Multi Uploader for Gravity Forms plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the 'plupload_ajax_delete_file' function in all versions up to, and including, 1.1.7. This makes it possible for unauthenticated attackers to delete arbitrary files on the server.

AI Analysis

Arbitrary file deletion vulnerability due to insufficient file path validation

Basic Information

ID CVE-2025-14344

Source Wordfence

Published Dec 12, 2025 at 03:20

Affected Product

Vendor sh1zen

Product Multi Uploader for Gravity Forms

Version *

Affected Versions sh1zen Multi Uploader for Gravity Forms *

CWE Classification

CWE-22

AI Assessment

AI Score 9.8 / 10

AI Severity Critical

Vendor sh1zen

Product Multi Uploader for Gravity Forms

Version 1.1.7

References

{
    "lastseen": "",
    "description": "The Multi Uploader for Gravity Forms plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the 'plupload_ajax_delete_file' function in all versions up to, and including, 1.1.7. This makes it possible for unauthenticated attackers to delete arbitrary files on the server.",
    "published": "2025-12-12T03:20:43.212Z",
    "modified": "2025-12-12T03:20:43.212Z",
    "type": "cve",
    "title": "Multi Uploader for Gravity Forms <= 1.1.7 - Unauthenticated Arbitrary File Deletion",
    "source": "Wordfence",
    "references": "https://www.wordfence.com/threat-intel/vulnerabilities/id/346af237-0411-4cc4-9544-eab697385a2f?source=cve\nhttps://plugins.trac.wordpress.org/browser/gf-multi-uploader/tags/1.1.7/inc/GFMUHandlePluploader.class.php?marks=41-43#L41",
    "id": "CVE-2025-14344",
    "bulletinFamily": "",
    "cwe": [
        "CWE-22"
    ],
    "cvelist": null,
    "sourceData": "sh1zen Multi Uploader for Gravity Forms *",
    "sourceHref": "",
    "cvss": {
        "score": 9.8,
        "severity": "CRITICAL",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Multi Uploader for Gravity Forms",
    "version": "*",
    "vendor": "sh1zen",
    "ai_description": "Arbitrary file deletion vulnerability due to insufficient file path validation",
    "ai_severity": "Critical",
    "ai_vendor": "sh1zen",
    "ai_product": "Multi Uploader for Gravity Forms",
    "ai_version": "1.1.7",
    "ai_score": 9.8
}

Multi Uploader for Gravity Forms <= 1.1.7 - Unauthenticated Arbitrary File Deletion_CVE-2025-14344