What is CVE-2025-14344 — Arbitrary File Access in Multi Uploader for Gravity Forms?

CVE-2025-14344 is a critical vulnerability allowing unauthenticated attackers to delete files on a WordPress server through the Multi Uploader for Gravity Forms plugin, impacting versions 1.0.0–1.1.7.

Am I affected by CVE-2025-14344 in Multi Uploader for Gravity Forms?

You are affected if your WordPress site uses the Multi Uploader for Gravity Forms plugin in versions 1.0.0 through 1.1.7. Check your plugin versions immediately.

How do I fix CVE-2025-14344 in Multi Uploader for Gravity Forms?

Upgrade the Multi Uploader for Gravity Forms plugin to version 1.1.8 or later. As a temporary measure, restrict file upload permissions and implement WAF rules.

Is CVE-2025-14344 being actively exploited?

While no public exploits are currently known, the vulnerability's severity and ease of exploitation suggest a potential for active exploitation. Monitor your systems closely.

Where can I find the official Multi Uploader for Gravity Forms advisory for CVE-2025-14344?

Refer to the official Gravity Forms website and plugin documentation for the latest advisory and update information regarding CVE-2025-14344.

CVE-2025-14344 — Vulnerability Details

NEXTGUARD

Escanear gratis

CVE-2025-14344 — Vulnerability Details | NextGuard

Pasos de Deteccióntraduciendo…

• wordpress: Use wp-cli plugin list to identify installations of the Multi Uploader for Gravity Forms plugin. Check the version number to determine if it's vulnerable.

wp plugin list --status=all | grep 'Multi Uploader for Gravity Forms'

• generic web: Monitor web server access logs for requests to /wp-content/plugins/multi-uploader-for-gravity-forms/delete.php or similar endpoints, especially those originating from unusual IP addresses. • generic web: Examine WordPress plugin files for the pluploadajaxdelete_file function and any related code that handles file path validation. Look for missing or inadequate validation checks. • linux / server: Monitor system logs (e.g., /var/log/auth.log, /var/log/syslog) for failed login attempts or unusual file deletion events related to the WordPress installation.

Multi Uploader for Gravity Forms <= 1.1.7 - Eliminación Arbitraria de Archivos No Autenticada

Impacto y Escenarios de Ataque

Contexto de Explotación

Quién Está en Riesgotraduciendo…

Pasos de Deteccióntraduciendo…

Cronología del Ataque

Inteligencia de Amenazas

Software Afectado

Clasificación de Debilidad (CWE)

Cronología

Mitigación y Workarounds

Cómo corregirlo

Boletín de seguridad CVE

Preguntas frecuentestraduciendo…

What is CVE-2025-14344 — Arbitrary File Access in Multi Uploader for Gravity Forms?

Am I affected by CVE-2025-14344 in Multi Uploader for Gravity Forms?

How do I fix CVE-2025-14344 in Multi Uploader for Gravity Forms?

Is CVE-2025-14344 being actively exploited?

Where can I find the official Multi Uploader for Gravity Forms advisory for CVE-2025-14344?

Información del paquete

¿Tu proyecto está afectado?

Detecta esta CVE en tu proyecto