CVE-2025-12974
📋 TL;DR
The Gravity Forms WordPress plugin allows unauthenticated attackers to upload .phar files through its legacy chunked upload mechanism, bypassing file type validation. If the web server is configured to execute .phar files as PHP, this can lead to remote code execution. All WordPress sites using Gravity Forms versions up to 2.9.21.1 are affected.
💻 Affected Systems
- Gravity Forms WordPress Plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Full server compromise via remote code execution, allowing attackers to install malware, steal data, or pivot to other systems.
Likely Case
Attackers upload web shells or backdoors to gain persistent access and potentially compromise the entire WordPress site.
If Mitigated
If proper file type validation is in place and .phar files are blocked, the vulnerability cannot be exploited.
🎯 Exploit Status
Attackers need to discover or enumerate the upload path to achieve RCE.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.9.21.2 or later
Vendor Advisory: https://docs.gravityforms.com/gravityforms-change-log/
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find Gravity Forms and update to version 2.9.21.2 or later. 4. Verify the update completed successfully.
🔧 Temporary Workarounds
Block .phar File Uploads via .htaccess
linuxPrevent .phar files from being uploaded by adding a rule to .htaccess.
<FilesMatch "\.phar$">
Order Allow,Deny
Deny from all
</FilesMatch>
Disable PHP Execution for Uploads Directory
linuxAdd a rule to prevent PHP execution in the Gravity Forms uploads directory.
<Directory /path/to/wp-content/uploads/gravity_forms/>
php_flag engine off
</Directory>
🧯 If You Can't Patch
- Disable the Gravity Forms plugin immediately.
- Implement a web application firewall (WAF) rule to block .phar file uploads.
🔍 How to Verify
Check if Vulnerable:
Check the Gravity Forms plugin version in WordPress admin under Plugins > Installed Plugins. If version is 2.9.21.1 or earlier, it is vulnerable.Check Version:
wp plugin list --name=gravityforms --field=versionVerify Fix Applied:
After updating, confirm the plugin version is 2.9.21.2 or later in the WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- Unusual .phar file uploads in web server access logs
- POST requests to Gravity Forms upload endpoints with .phar extensions
Network Indicators:
- HTTP POST requests containing .phar files to Gravity Forms endpoints
SIEM Query:
source="web_access_logs" AND uri_path="/wp-content/uploads/gravity_forms/" AND file_extension=".phar"🔗 References
- https://docs.gravityforms.com/gravityforms-change-log/
- https://github.com/pronamic/gravityforms/blob/06de1b7e169e4f073e9d0d491e17b89365b48c20/common/common.php#L4178
- https://github.com/pronamic/gravityforms/blob/06de1b7e169e4f073e9d0d491e17b89365b48c20/includes/upload.php#L97
- https://www.wordfence.com/threat-intel/vulnerabilities/id/b6395439-da45-4b64-8e30-b106dffd46c1?source=cve
