A critical vulnerability has been identified in the Gravity Forms plugin for WordPress, which could allow an unauthenticated attacker to upload malicious files to a web server. Successful exploitation of this vulnerability could lead to remote code execution, enabling an attacker to gain complete control of the affected website, steal sensitive data, and potentially compromise the underlying server.

The vulnerability exists within the copy_post_image() function of the Gravity Forms plugin. This function lacks proper validation to ensure that uploaded files are of an expected and safe file type (e.g., JPEG, PNG). An attacker can exploit this flaw by crafting a request that uploads a malicious script (such as a PHP web shell) disguised as an image file. Once uploaded, the attacker can navigate to the file's location on the server to execute arbitrary code with the permissions of the web server process.

This vulnerability is rated as critical severity with a CVSS score of 9.8. Exploitation could result in a full system compromise, leading to severe business consequences. These include the theft or exposure of sensitive company or customer data, significant reputational damage, website defacement, and the use of the compromised server to launch further attacks or host malicious content. The potential for operational disruption and financial loss is extremely high, and the organization could face regulatory fines depending on the nature of the data compromised.

Immediate Action: Immediately update the Gravity Forms plugin for WordPress to the latest patched version on all affected websites. After patching, it is crucial to monitor for any signs of post-remediation exploitation attempts and to thoroughly review web server access logs for indicators of a prior compromise.

Proactive Monitoring: Implement enhanced monitoring on web servers hosting the Gravity Forms plugin. Security teams should look for suspicious file uploads to the WordPress content directories (e.g., wp-content/uploads), particularly for files with executable extensions like .php, .phtml, or .phar. Monitor web server logs for direct requests to non-image files in upload directories and watch for unusual outbound network traffic from the web server.

Compensating Controls: If immediate patching is not feasible, implement the following compensating controls:

• Utilize a Web Application Firewall (WAF) with rules designed to inspect file uploads and block malicious file types and content.
• If possible, temporarily disable forms that allow file uploads through the Gravity Forms plugin.
• Harden web server configurations to prevent the execution of scripts in the uploads directory.
• Implement File Integrity Monitoring (FIM) to detect the creation of unauthorized files on the web server.

Public Exploit Available: True

This vulnerability represents a critical and immediate threat to the organization. Due to the high CVSS score of 9.8 and the availability of a public exploit, all systems running a vulnerable version of the Gravity Forms plugin must be patched immediately. Although this CVE is not currently listed on the CISA KEV list, its critical nature warrants treating it with the highest priority. In addition to patching, all affected systems should be proactively investigated for signs of compromise, as the vulnerability may have been exploited before remediation was applied.