Unrestricted File Upload Vulnerability in NotFound Multi Uploader for Gravity Forms
CVE-2025-23921

9CRITICAL

Key Information:

Vendor: WordPress
Status: Multi Uploader For Gravity Forms
Vendor: CVE Published:; 22 January 2025

What is CVE-2025-23921?

The NotFound Multi Uploader for Gravity Forms has a vulnerability that permits the upload of files with dangerous types, which can lead to the execution of malicious scripts on the server. This flaw can allow an attacker to upload a web shell, granting them unauthorized control over the web server. Users are encouraged to review their current version and consider updating to mitigate risks associated with this vulnerability.

Affected Version(s)

Multi Uploader for Gravity Forms <= 1.1.3

References

https://patchstack.com/database/wordpress/plugin/gf-multi...

vdb-entry

CVSS V3.1

Score:

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jan 22, 2025
Vulnerability Reserved
Jan 16, 2025

Credit

Colin Xu (Patchstack Alliance)

WordPress

What is CVE-2025-23921?

Affected Version(s)

References

CVSS V3.1

Timeline

Credit