CVE-2025-12352
Published: 07 November 2025
Summary
CVE-2025-12352 is a critical-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Wordfence (inferred from references). Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 47.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires timely identification, reporting, and remediation of the arbitrary file upload flaw in Gravity Forms versions up to 2.9.20, preventing exploitation via patching or updates.
Enforces validation of information inputs including file uploads to block arbitrary files lacking proper type checks, directly addressing the missing validation in copy_post_image().
Mandates secure configuration settings like disabling allow_url_fopen, eliminating a key prerequisite for successful exploitation of this vulnerability.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unauthenticated arbitrary file upload vulnerability in public-facing WordPress plugin directly enables exploitation of public-facing applications (T1190), potentially leading to RCE.
NVD Description
The Gravity Forms plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the copy_post_image() function in all versions up to, and including, 2.9.20. This makes it possible for unauthenticated attackers to upload arbitrary…
more
files on the affected site's server which may make remote code execution possible. This only impacts sites that have allow_url_fopen set to `On`, the post creation form enabled along with a file upload field for the post
Deeper analysisAI
CVE-2025-12352 is an arbitrary file upload vulnerability in the Gravity Forms plugin for WordPress, affecting all versions up to and including 2.9.20. The flaw arises from missing file type validation in the copy_post_image() function, allowing attackers to upload arbitrary files to the affected site's server. Published on 2025-11-07, it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and maps to CWE-434 (Unrestricted Upload of File with Dangerous Type).
Unauthenticated attackers can exploit this vulnerability over the network with low complexity and no user interaction. Successful exploitation enables arbitrary file uploads, which may lead to remote code execution on the server. This impacts only sites where allow_url_fopen is set to On, the post creation form is enabled, and that form includes a file upload field.
References include GitHub code excerpts from the Gravity Forms repository highlighting the vulnerable lines in forms_model.php (L5451C26-L5451C41) and class-gf-field-fileupload.php (L306), along with a Wordfence threat intelligence advisory (ID 42525101-6196-40b9-90e7-c7f1886ef247).
Details
- CWE(s)