Author: Chizuru Toyama, TXOne Threat Research
Overview
WordPress powers a significant portion of the web, and its plugin ecosystem is both a strength and a vulnerability. Upload-handling plugins are persistently targeted because any weakness in file validation gives attackers a direct path to remote code execution. Our telemetry has revealed consistent and periodic exploitation attempts against CVE-2025-23921, a critical vulnerability in the Multi Uploader for Gravity Forms plugin since August 2024.
This persistence underscores a key reality: attackers often revisit known vulnerabilities long after disclosure, targeting sites that remain unpatched. A newly disclosed vulnerability in Gravity Forms core, CVE-2025-12352, has not yet appeared in our telemetry, but its critical nature also makes it a likely target of future campaigns.
CVE-2025-23921: Multi Uploader Exploitation Trends
-
- Plugin: Multi Uploader for Gravity Forms
- Affected Versions: Up to and including 1.1.3
- Severity: Critical
- CVSS v3.1 Score: 9.0
- Type: Arbitrary File Upload
- Impact: Remote Code Execution (RCE)
- Attack Pattern:
- Exploits target the gf_page=upload endpoint using crafted multipart/form-data requests.
- Malicious files containing executable code often masquerade as images (e.g., .phtml webshells).
- Telemetry Observations:
- Exploit attempts have been detected consistently since August 2024, with spikes in activity during October, January, and April.
- Payload sizes typically range from 850–950 bytes, matching lightweight webshell signatures.
- Attacks originate from diverse regions, including North America, Europe, and Asia, indicating global targeting.
CVE-2025-12352: Gravity Forms Core Vulnerability
- Plugin: Gravity Forms (Core)
- Affected Versions: Up to and including 2.9.20
- Patched Version: 2.9.21
- Severity: Critical
- CVSS v3.1 Score: 9.8
- Type: Arbitrary File Upload
- Impact: Remote Code Execution (RCE)
- Root Cause: Missing file type validation in the copy_post_image() function
- Conditions:
- allow_url_fopen enabled on the server
- Post creation form with file upload field active
Mitigation Strategies
- Patch Immediately:
- Update Multi Uploader to 1.1.5 or later and Gravity Forms to 2.9.21 or later
- Restrict File Uploads:
- Enforce strict MIME type validation and disable PHP execution in upload directories
- Deploy WAF or IPS Rules:
- Block suspicious multipart/form-data requests targeting gf_page=upload
- Monitor Logs:
- Look for anomalies in POST requests with directory traversal or .phtml extensions
Generic Snort Rule for Detection
# Rule 1: URI-based detection
alert tcp any any -> any 80,443,8080 (msg:”Gravity Forms Multi Uploader Exploit Attempt (CVE-2025-23921)”; flow:to_server,established; content:”gf_page=upload”; nocase; pcre:”/gf_page=upload.*\.\.\/\.\.\/\.\.\/[^ ]*\.phtml/i”; content:”../../../”; nocase; http_uri; reference:cve,2025-23921; sid:1000000; rev:1;)
# Rule 2: POST body inspection for multipart/form-data
alert tcp any any -> any 80,443,8080 (msg:”Gravity Forms Multi Uploader Exploit Attempt in POST Body (CVE-2025-23921)”; flow:to_server,established; content:”gf_page=upload”; nocase; content:”Content-Type: multipart/form-data”; nocase; pcre:”/name=\”gform_unique_id\”\\s*\\r?\\n\\r?\\n\\.\.\/\.\.\/\.\.\/[^ ]*\.phtml/i”; content:”../../../”; nocase; http_client_body; reference:cve,2025-23921; sid:1000001; rev:1;)
Key Takeaways
- CVE-2025-23921 is actively being exploited and has suffered periodic attack waves over the past year.
- CVE-2025-12352, though not yet observed in our telemetry, should be patched immediately due to its critical nature.
- Both vulnerabilities enable RCE; proactive patching and monitoring are essential.
TXOne Networks Solutions for CVE-2025-23921
The network defense products from TXOne Networks incorporate the updated IPS signature rule for these vulnerabilities, virtually patching your devices against potential attacks. The IPS signature rule is listed below:
| Rule ID | Vulnerability |
| 1237599 | WEB WordPress Plugin Gravity Forms 1.8.19 Arbitrary File Upload |
