CVE-2025-12974
Published: 18 November 2025
Summary
CVE-2025-12974 is a high-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Gravityforms (inferred from references). Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 45.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Patching the Gravity Forms plugin to versions beyond 2.9.21.1 directly remediates the missing file type validation in the chunked upload mechanism.
Enforces validation of file types during uploads to block dangerous extensions like .phar that bypass the inadequate blacklist.
Malicious code protection mechanisms at upload entry points scan and block executable .phar files attempting remote code execution.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability enables unauthenticated attackers to exploit a public-facing WordPress plugin via arbitrary file upload leading to potential RCE, directly mapping to T1190: Exploit Public-Facing Application.
NVD Description
The Gravity Forms plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the legacy chunked upload mechanism in all versions up to, and including, 2.9.21.1. This is due to the extension blacklist not…
more
including .phar files, which can be uploaded through the chunked upload mechanism. This makes it possible for unauthenticated attackers to upload executable .phar files and achieve remote code execution on the server, granted they can discover or enumerate the upload path. In order for an attacker to achieve RCE, the web server needs to be set up to process .phar file as PHP via file handler mapping or similar.
Deeper analysisAI
CVE-2025-12974 affects the Gravity Forms plugin for WordPress in all versions up to and including 2.9.21.1. The vulnerability stems from missing file type validation in the legacy chunked upload mechanism, where the extension blacklist does not include .phar files. This allows arbitrary file uploads, as .phar files can be submitted through the chunked upload process.
Unauthenticated attackers can exploit this vulnerability remotely, though it requires high attack complexity. By discovering or enumerating the upload path, they can upload executable .phar files. Remote code execution is achievable if the web server is configured to process .phar files as PHP via file handler mapping or similar mechanisms. The issue carries a CVSS v3.1 base score of 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-434 (Unrestricted Upload of File with Dangerous Type).
Mitigation details are available in the Gravity Forms changelog at https://docs.gravityforms.com/gravityforms-change-log/. Relevant code locations include common/common.php at line 4178 and includes/upload.php at line 97 in the plugin's GitHub repository. Additional analysis is provided in Wordfence's threat intelligence report at https://www.wordfence.com/threat-intel/vulnerabilities/id/b6395439-da45-4b64-8e30-b106dffd46c1?source=cve. Security practitioners should update to patched versions beyond 2.9.21.1.
Details
- CWE(s)