cnvd - cnvd-2025-27878

CNVD-2025-27878

Vulnerability from cnvd - Published: 2025-11-14

Title

WordPress Gravity Forms plugin任意文件上传漏洞

Description

WordPress Gravity Forms plugin是WordPress平台上的专业表单插件，主要用于创建和管理各种交互式表单，支持数据收集、支付处理、工作流自动化等功能。 WordPress Gravity Forms plugin存在任意文件上传漏洞，该漏洞源于copy_post_image函数缺少文件类型验证，攻击者可利用该漏洞导致任意文件上传和远程代码执行。

Severity

高

Patch Name

WordPress Gravity Forms plugin任意文件上传漏洞的补丁

Patch Description

Formal description

目前厂商已发布升级程序修复该安全问题，详情见厂商官网: https://www.wordfence.com/threat-intel/vulnerabilities/id/42525101-6196-40b9-90e7-c7f1886ef247?source=cve

Reference

https://github.com/pronamic/gravityforms/blob/06de1b7e169e4f073e9d0d491e17b89365b48c20/forms_model.php#L5451C26-L5451C41

Impacted products

Name
WordPress Gravity Forms plugin <=2.9.20

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2025-12352",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2025-12352"
    }
  },
  "description": "WordPress Gravity Forms plugin\u662fWordPress\u5e73\u53f0\u4e0a\u7684\u4e13\u4e1a\u8868\u5355\u63d2\u4ef6\uff0c\u4e3b\u8981\u7528\u4e8e\u521b\u5efa\u548c\u7ba1\u7406\u5404\u79cd\u4ea4\u4e92\u5f0f\u8868\u5355\uff0c\u652f\u6301\u6570\u636e\u6536\u96c6\u3001\u652f\u4ed8\u5904\u7406\u3001\u5de5\u4f5c\u6d41\u81ea\u52a8\u5316\u7b49\u529f\u80fd\u3002\n\nWordPress Gravity Forms plugin\u5b58\u5728\u4efb\u610f\u6587\u4ef6\u4e0a\u4f20\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8ecopy_post_image\u51fd\u6570\u7f3a\u5c11\u6587\u4ef6\u7c7b\u578b\u9a8c\u8bc1\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u5bfc\u81f4\u4efb\u610f\u6587\u4ef6\u4e0a\u4f20\u548c\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u3002",
  "formalWay": "\u76ee\u524d\u5382\u5546\u5df2\u53d1\u5e03\u5347\u7ea7\u7a0b\u5e8f\u4fee\u590d\u8be5\u5b89\u5168\u95ee\u9898\uff0c\u8be6\u60c5\u89c1\u5382\u5546\u5b98\u7f51:\r\nhttps://www.wordfence.com/threat-intel/vulnerabilities/id/42525101-6196-40b9-90e7-c7f1886ef247?source=cve",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2025-27878",
  "openTime": "2025-11-14",
  "patchDescription": "WordPress Gravity Forms plugin\u662fWordPress\u5e73\u53f0\u4e0a\u7684\u4e13\u4e1a\u8868\u5355\u63d2\u4ef6\uff0c\u4e3b\u8981\u7528\u4e8e\u521b\u5efa\u548c\u7ba1\u7406\u5404\u79cd\u4ea4\u4e92\u5f0f\u8868\u5355\uff0c\u652f\u6301\u6570\u636e\u6536\u96c6\u3001\u652f\u4ed8\u5904\u7406\u3001\u5de5\u4f5c\u6d41\u81ea\u52a8\u5316\u7b49\u529f\u80fd\u3002\r\n\r\nWordPress Gravity Forms plugin\u5b58\u5728\u4efb\u610f\u6587\u4ef6\u4e0a\u4f20\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8ecopy_post_image\u51fd\u6570\u7f3a\u5c11\u6587\u4ef6\u7c7b\u578b\u9a8c\u8bc1\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u5bfc\u81f4\u4efb\u610f\u6587\u4ef6\u4e0a\u4f20\u548c\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "WordPress Gravity Forms plugin\u4efb\u610f\u6587\u4ef6\u4e0a\u4f20\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": "WordPress Gravity Forms plugin \u003c=2.9.20"
  },
  "referenceLink": "https://github.com/pronamic/gravityforms/blob/06de1b7e169e4f073e9d0d491e17b89365b48c20/forms_model.php#L5451C26-L5451C41",
  "serverity": "\u9ad8",
  "submitTime": "2025-11-12",
  "title": "WordPress Gravity Forms plugin\u4efb\u610f\u6587\u4ef6\u4e0a\u4f20\u6f0f\u6d1e"
}

CVE-2025-12352 (GCVE-0-2025-12352)

Vulnerability from cvelistv5 – Published: 2025-11-07 04:28 – Updated: 2025-11-07 17:41

Title

Gravity Forms <= 2.9.20 - Unauthenticated Arbitrary File Upload via 'copy_post_image'

Summary

The Gravity Forms plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the copy_post_image() function in all versions up to, and including, 2.9.20. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. This only impacts sites that have allow_url_fopen set to `On`, the post creation form enabled along with a file upload field for the post

Severity ?

9.8 (Critical)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-434 - Unrestricted Upload of File with Dangerous Type

Assigner

Wordfence

References

URL

Tags

	https://www.wordfence.com/threat-intel/vulnerabil…
	https://github.com/pronamic/gravityforms/blob/06d…
	https://github.com/pronamic/gravityforms/blob/06d…

Impacted products

	Vendor	Product	Version
	Gravity Forms	Gravity Forms	Affected: * , ≤ 2.9.20 (semver)

Credits

Talal Nasraddeen

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-12352",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-11-07T17:40:59.933047Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-11-07T17:41:19.665Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Gravity Forms",
          "vendor": "Gravity Forms",
          "versions": [
            {
              "lessThanOrEqual": "2.9.20",
              "status": "affected",
              "version": "*",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Talal Nasraddeen"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "The Gravity Forms plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the copy_post_image() function in all versions up to, and including, 2.9.20. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site\u0027s server which may make remote code execution possible. This only impacts sites that have allow_url_fopen set to `On`, the post creation form enabled along with a file upload field for the post"
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-434",
              "description": "CWE-434 Unrestricted Upload of File with Dangerous Type",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-11-07T04:28:53.882Z",
        "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "shortName": "Wordfence"
      },
      "references": [
        {
          "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/42525101-6196-40b9-90e7-c7f1886ef247?source=cve"
        },
        {
          "url": "https://github.com/pronamic/gravityforms/blob/06de1b7e169e4f073e9d0d491e17b89365b48c20/includes/fields/class-gf-field-fileupload.php#L306"
        },
        {
          "url": "https://github.com/pronamic/gravityforms/blob/06de1b7e169e4f073e9d0d491e17b89365b48c20/forms_model.php#L5451C26-L5451C41"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2025-10-22T00:00:00.000+00:00",
          "value": "Discovered"
        },
        {
          "lang": "en",
          "time": "2025-10-27T20:34:24.000+00:00",
          "value": "Vendor Notified"
        },
        {
          "lang": "en",
          "time": "2025-11-06T16:28:27.000+00:00",
          "value": "Disclosed"
        }
      ],
      "title": "Gravity Forms \u003c= 2.9.20 - Unauthenticated Arbitrary File Upload via \u0027copy_post_image\u0027"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
    "assignerShortName": "Wordfence",
    "cveId": "CVE-2025-12352",
    "datePublished": "2025-11-07T04:28:53.882Z",
    "dateReserved": "2025-10-27T15:06:41.806Z",
    "dateUpdated": "2025-11-07T17:41:19.665Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CNVD-2025-27878

CVE-2025-12352 (GCVE-0-2025-12352)

Tags

Sightings

Nomenclature