Introduction
Attackers can upload arbitrary files to WordPress sites running Gravity Forms up to version 2.9.20, potentially achieving remote code execution if the server is configured with allow_url_fopen enabled and a post creation form with a file upload field is present. This vulnerability, tracked as CVE-2025-12352, has a critical CVSS score of 9.8 and affects one of the most widely deployed form plugins in the WordPress ecosystem.
Gravity Forms is developed by RocketGenius and is a cornerstone of the WordPress plugin landscape. It is used by organizations of all sizes for lead generation, content submission, and complex workflow automation. The plugin's extensive feature set and integration capabilities have made it a high-value target for attackers, especially given its history of security issues, including file upload and cross-site scripting vulnerabilities as well as a recent supply chain compromise.
Technical Information
CVE-2025-12352 arises from missing file type validation in the copy_post_image() function of Gravity Forms up to and including version 2.9.20. The vulnerability is triggered when a WordPress site uses a Gravity Forms form with the post creation feature enabled and includes a Post Image field. If the server's PHP configuration has allow_url_fopen set to On, the function will copy files from external URLs to the WordPress uploads directory without validating the file type or extension. This allows unauthenticated attackers to upload arbitrary files, including executable PHP scripts, to the server.
The vulnerable code path is publicly referenced in the Gravity Forms source code:
// forms_model.php (see reference) copy_post_image() // lacks file type validation
If the web server is configured to execute files from the uploads directory, an attacker can trigger remote code execution by accessing the uploaded file directly. The vulnerability is classified as CWE-434 (Unrestricted Upload of File with Dangerous Type).
Affected Systems and Versions
- Gravity Forms for WordPress, all versions up to and including 2.9.20
- Vulnerable only if:
- The site has a form with post creation enabled and a Post Image field
- PHP allow_url_fopen is set to On
Vendor Security History
Gravity Forms has a history of security issues, including:
- Arbitrary file upload vulnerability in 2015
- Multiple cross-site scripting vulnerabilities in recent years
- SQL injection vulnerabilities
- A supply chain compromise in July 2025, where attackers injected malicious code into the plugin repository
The vendor typically responds promptly to reported vulnerabilities, releasing patches and security advisories. However, the recurrence of file upload and other critical issues highlights ongoing challenges in secure plugin development and the need for continuous improvement in code review and security testing practices.
