CVE-2025-12352: 
WordPress vulnerability analysis and mitigation

The Gravity Forms plugin for WordPress contains a critical vulnerability (CVE-2025-12352) discovered by researcher Talal Nasraddeen and disclosed on November 6, 2025. The vulnerability affects all versions up to and including 2.9.20, allowing unauthenticated attackers to perform arbitrary file uploads due to missing file type validation in the copypostimage() function (NVD, Wordfence).

The vulnerability is classified with a CVSS v3.1 base score of 9.8 (Critical) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. It is categorized as CWE-434 (Unrestricted Upload of File with Dangerous Type). The issue specifically affects sites that have allowurlfopen set to 'On', with the post creation form enabled along with a file upload field for the post (NVD).

The vulnerability allows unauthenticated attackers to upload arbitrary files to the affected site's server, potentially leading to remote code execution. This presents a severe security risk as it could allow attackers to take complete control of the affected WordPress installation (NVD).

Site administrators running affected versions of Gravity Forms (2.9.20 and below) should update to a patched version as soon as it becomes available. As a temporary workaround, administrators can disable the post creation form or file upload functionality if not essential to their operations (NVD).