Platform
wordpress
Component
gf-multi-uploader
Fixed in
1.1.8
CVE-2025-14344 describes an arbitrary file access vulnerability affecting the Multi Uploader for Gravity Forms plugin for WordPress. This vulnerability allows unauthenticated attackers to delete arbitrary files on the server, potentially leading to data loss or system compromise. The vulnerability impacts versions 1.0.0 through 1.1.7, and a patch is available in version 1.1.8.
The impact of this vulnerability is severe. An unauthenticated attacker can leverage the insufficient file path validation in the 'pluploadajaxdelete_file' function to delete any file the web server process has write access to. This could include critical system files, configuration files, or sensitive data stored on the server. Successful exploitation could lead to denial of service, data breaches, or even complete system takeover, depending on the files deleted and the permissions of the web server user. The lack of authentication makes this vulnerability particularly concerning, as any user can attempt to exploit it.
This vulnerability was publicly disclosed on 2025-12-12. No public proof-of-concept (PoC) code has been released at the time of writing, but the ease of exploitation makes it likely that PoCs will emerge. The vulnerability's criticality (CVSS 9.8) and ease of exploitation suggest a medium probability of exploitation, particularly given the widespread use of WordPress and Gravity Forms. It is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.37% (58% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-14344 is to immediately upgrade the Multi Uploader for Gravity Forms plugin to version 1.1.8 or later. If upgrading is not immediately feasible, consider restricting file upload permissions for the web server user to minimize the potential impact of file deletion. Implement a Web Application Firewall (WAF) rule to block requests to the 'pluploadajaxdelete_file' endpoint, especially those originating from untrusted sources. Regularly review file system permissions and audit logs for suspicious activity.
Update to version 1.1.8, or a newer patched version
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-14344 is a critical vulnerability allowing unauthenticated attackers to delete files on a WordPress server through the Multi Uploader for Gravity Forms plugin, impacting versions 1.0.0–1.1.7.
You are affected if your WordPress site uses the Multi Uploader for Gravity Forms plugin in versions 1.0.0 through 1.1.7. Check your plugin versions immediately.
Upgrade the Multi Uploader for Gravity Forms plugin to version 1.1.8 or later. As a temporary measure, restrict file upload permissions and implement WAF rules.
While no public exploits are currently known, the vulnerability's severity and ease of exploitation suggest a potential for active exploitation. Monitor your systems closely.
Refer to the official Gravity Forms website and plugin documentation for the latest advisory and update information regarding CVE-2025-14344.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.