CVE-2025-12974

Name of the Vulnerable Software and Affected Versions Gravity Forms versions prior to 2.9.22

Description The Gravity Forms plugin for WordPress is susceptible to arbitrary file uploads because of inadequate file type validation within the legacy chunked upload mechanism. The extension blacklist does not include .phar files, allowing unauthenticated attackers to upload executable .phar files. Successful exploitation requires the web server to be configured to process .phar files as PHP. This could lead to remote code execution on the server if an attacker can determine the upload path.

Recommendations Update Gravity Forms to version 2.9.22 or later.