GravityForms < 2.9.23.1 - Unauthenticated Arbitrary File Upload_CVE-2025-13407

6.8 / 10

MEDIUM

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N

Description

The Gravity Forms WordPress plugin before 2.9.23.1 does not properly prevent users from uploading dangerous files through its chunked upload functionality, allowing attackers to upload PHP files to affected sites and achieve Remote Code Execution, granted they can discover or enumerate the upload path.

Basic Information

ID CVE-2025-13407

Source WPScan

Published Dec 24, 2025 at 06:00

Modified Dec 24, 2025 at 16:39

Affected Product

Vendor Unknown

Product Gravity Forms

Affected Versions Unknown Gravity Forms 0

CWE Classification

References

wpscan.com /vulnerability/e09908fb-f5ad-45ca-8698-c0d596fd39cc/

{
    "lastseen": "",
    "description": "The Gravity Forms WordPress plugin before 2.9.23.1 does not properly prevent users from uploading dangerous files through its chunked upload functionality, allowing attackers to upload PHP files to affected sites and achieve Remote Code Execution, granted they can discover or enumerate the upload path.",
    "published": "2025-12-24T06:00:04.578Z",
    "modified": "2025-12-24T16:39:08.316Z",
    "type": "cve",
    "title": "GravityForms < 2.9.23.1 - Unauthenticated Arbitrary File Upload",
    "source": "WPScan",
    "references": "https://wpscan.com/vulnerability/e09908fb-f5ad-45ca-8698-c0d596fd39cc/",
    "id": "CVE-2025-13407",
    "bulletinFamily": "",
    "cwe": [
        ""
    ],
    "cvelist": null,
    "sourceData": "Unknown Gravity Forms 0",
    "sourceHref": "",
    "cvss": {
        "score": 6.8,
        "severity": "MEDIUM",
        "vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Gravity Forms",
    "version": "0",
    "vendor": "Unknown",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}