Introduction
Attackers can gain remote code execution on WordPress sites running Gravity Forms by uploading a specially crafted .phar file through a legacy chunked upload endpoint. This vulnerability impacts a plugin deployed on millions of sites, making it a significant risk for any organization relying on Gravity Forms for file handling or user submissions.
Gravity Forms is a dominant form management plugin for WordPress, developed by RocketGenius. It is used by businesses of all sizes for contact forms, lead generation, and complex workflow automation. Its market presence and integration with critical business processes mean that vulnerabilities in Gravity Forms have far-reaching consequences across the WordPress ecosystem.
Technical Information
CVE-2025-12974 arises from a flaw in the legacy chunked upload mechanism of Gravity Forms, present in all versions up to and including 2.9.21.1. The plugin uses a blacklist to restrict dangerous file types during file uploads. However, the .phar extension was not included in this blacklist, allowing attackers to upload files with this extension. The relevant validation logic is found in the plugin's common.php and upload.php files. Specifically, the blacklist check failed to account for .phar files, which are PHP archives that can contain executable PHP code.
The vulnerability can be exploited without authentication. An attacker can submit a .phar file via a form using the legacy chunked upload endpoint. If the web server is configured to execute .phar files as PHP (for example, through handler mappings), accessing the uploaded file will trigger execution of the embedded PHP code. This leads to remote code execution under the context of the web server process.
The root cause is the incomplete extension blacklist in the upload handler. The code responsible for this validation is publicly available:
// Reference: https://github.com/pronamic/gravityforms/blob/06de1b7e169e4f073e9d0d491e17b89365b48c20/common/common.php#L4178 $blacklist = array('php', 'exe', 'jsp', ... ); // .phar missing
// Reference: https://github.com/pronamic/gravityforms/blob/06de1b7e169e4f073e9d0d491e17b89365b48c20/includes/upload.php#L97 if ( in_array( $extension, $blacklist ) ) { // Reject upload }
Because .phar is not blacklisted, the upload proceeds. The file is written to a predictable location in the uploads directory. Attackers must then discover or guess the upload path, which may involve brute force or information disclosure techniques. Once the path is known, a direct request to the .phar file triggers code execution if the server executes .phar files as PHP.
This vulnerability is classified as CWE-434 (Unrestricted Upload of File with Dangerous Type).
Affected Systems and Versions
- Gravity Forms for WordPress, all versions up to and including 2.9.21.1
- Vulnerability is present in the legacy chunked upload mechanism
- Exploitation requires the web server to be configured to execute .phar files as PHP
Vendor Security History
Gravity Forms has a history of file upload vulnerabilities and related security issues. Notably, CVE-2025-12352 allowed arbitrary file uploads via the copy_post_image function. The plugin also experienced a supply chain compromise in July 2025, where malicious code was injected into downloadable packages. The vendor typically releases patches quickly after disclosure, but recurring file upload flaws indicate ongoing gaps in secure development practices and input validation.
