平台
wordpress
组件
gf-multi-uploader
修复版本
1.1.8
CVE-2025-14344 describes an arbitrary file access vulnerability affecting the Multi Uploader for Gravity Forms plugin for WordPress. This vulnerability allows unauthenticated attackers to delete arbitrary files on the server, potentially leading to data loss or system compromise. The vulnerability impacts versions 1.0.0 through 1.1.7, and a patch is available in version 1.1.8.
The impact of this vulnerability is severe. An unauthenticated attacker can leverage the insufficient file path validation in the 'pluploadajaxdelete_file' function to delete any file the web server process has write access to. This could include critical system files, configuration files, or sensitive data stored on the server. Successful exploitation could lead to denial of service, data breaches, or even complete system takeover, depending on the files deleted and the permissions of the web server user. The lack of authentication makes this vulnerability particularly concerning, as any user can attempt to exploit it.
This vulnerability was publicly disclosed on 2025-12-12. No public proof-of-concept (PoC) code has been released at the time of writing, but the ease of exploitation makes it likely that PoCs will emerge. The vulnerability's criticality (CVSS 9.8) and ease of exploitation suggest a medium probability of exploitation, particularly given the widespread use of WordPress and Gravity Forms. It is not currently listed on the CISA KEV catalog.
WordPress websites utilizing the Multi Uploader for Gravity Forms plugin, particularly those with shared hosting environments or legacy configurations, are at significant risk. Sites with weak file system permissions or inadequate security practices are especially vulnerable. Administrators of WordPress sites using older versions of the plugin should prioritize upgrading to the patched version.
• wordpress: Use wp-cli plugin list to identify installations of the Multi Uploader for Gravity Forms plugin. Check the version number to determine if it's vulnerable.
wp plugin list --status=all | grep 'Multi Uploader for Gravity Forms'• generic web: Monitor web server access logs for requests to /wp-content/plugins/multi-uploader-for-gravity-forms/delete.php or similar endpoints, especially those originating from unusual IP addresses.
• generic web: Examine WordPress plugin files for the pluploadajaxdelete_file function and any related code that handles file path validation. Look for missing or inadequate validation checks.
• linux / server: Monitor system logs (e.g., /var/log/auth.log, /var/log/syslog) for failed login attempts or unusual file deletion events related to the WordPress installation.
disclosure
漏洞利用状态
EPSS
0.37% (58% 百分位)
CISA SSVC
CVSS 向量
The primary mitigation for CVE-2025-14344 is to immediately upgrade the Multi Uploader for Gravity Forms plugin to version 1.1.8 or later. If upgrading is not immediately feasible, consider restricting file upload permissions for the web server user to minimize the potential impact of file deletion. Implement a Web Application Firewall (WAF) rule to block requests to the 'pluploadajaxdelete_file' endpoint, especially those originating from untrusted sources. Regularly review file system permissions and audit logs for suspicious activity.
Update to version 1.1.8, or a newer patched version
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2025-14344 is a critical vulnerability allowing unauthenticated attackers to delete files on a WordPress server through the Multi Uploader for Gravity Forms plugin, impacting versions 1.0.0–1.1.7.
You are affected if your WordPress site uses the Multi Uploader for Gravity Forms plugin in versions 1.0.0 through 1.1.7. Check your plugin versions immediately.
Upgrade the Multi Uploader for Gravity Forms plugin to version 1.1.8 or later. As a temporary measure, restrict file upload permissions and implement WAF rules.
While no public exploits are currently known, the vulnerability's severity and ease of exploitation suggest a potential for active exploitation. Monitor your systems closely.
Refer to the official Gravity Forms website and plugin documentation for the latest advisory and update information regarding CVE-2025-14344.
上传你的依赖文件,立即了解此CVE和其他CVE是否影响你。