CVE-2025-14344
Published: 12 December 2025
Summary
CVE-2025-14344 is a critical-severity Path Traversal (CWE-22) vulnerability in Wordpress (inferred from references). Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 40.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly addresses the insufficient file path validation in the plupload_ajax_delete_file function, preventing path traversal that enables arbitrary file deletion.
Remediates the specific flaw in Multi Uploader for Gravity Forms plugin versions up to 1.1.7 by identifying, testing, and deploying security patches.
Enforces approved authorizations to block unauthenticated access to the vulnerable AJAX delete endpoint, stopping remote exploitation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unauthenticated remote exploitation of a public-facing WordPress plugin enables arbitrary file deletion, directly mapping to T1190 (Exploit Public-Facing Application) and T1107 (File Deletion).
NVD Description
The Multi Uploader for Gravity Forms plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the 'plupload_ajax_delete_file' function in all versions up to, and including, 1.1.7. This makes it possible for unauthenticated attackers…
more
to delete arbitrary files on the server.
Deeper analysisAI
CVE-2025-14344 is a path traversal vulnerability (CWE-22) in the Multi Uploader for Gravity Forms plugin for WordPress, affecting all versions up to and including 1.1.7. The issue stems from insufficient file path validation in the 'plupload_ajax_delete_file' function, enabling arbitrary file deletion on the server. Published on 2025-12-12, it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), reflecting its critical severity due to high impacts across confidentiality, integrity, and availability.
Unauthenticated attackers can exploit this vulnerability remotely over the network with low attack complexity and no user interaction or privileges required. By crafting malicious requests to the affected function, they can delete arbitrary files on the web server, potentially disrupting services, destroying data, or enabling further compromise through targeted deletions such as configuration files or backups.
Mitigation details are available in referenced advisories, including the Wordfence threat intelligence page (https://www.wordfence.com/threat-intel/vulnerabilities/id/346af237-0411-4cc4-9544-eab697385a2f?source=cve), the plugin's vulnerable code at lines 41-43 in GFMUHandlePluploader.class.php (https://plugins.trac.wordpress.org/browser/gf-multi-uploader/tags/1.1.7/inc/GFMUHandlePluploader.class.php?marks=41-43#L41), and WordPress plugin trac changeset 3421317 (https://plugins.trac.wordpress.org/changeset/3421317/), which addresses the flaw. Security practitioners should update to a version beyond 1.1.7 and review access to the plugin's AJAX endpoints.
Details
- CWE(s)