A critical vulnerability has been identified in the Multi Uploader for Gravity Forms plugin for WordPress. This flaw allows any unauthenticated attacker on the internet to delete arbitrary files from the server hosting the website, which could lead to a complete site outage, data loss, or create opportunities for further system compromise. Due to the ease of exploitation and severe impact, immediate action is required.

The vulnerability exists within the plupload_ajax_delete_file function, which is accessible without authentication. The function fails to properly validate the file path provided by the user. An attacker can exploit this by crafting a request containing path traversal sequences (e.g., ../../..) to target and delete any file on the server that the web server process has permissions to delete, including critical application files like wp-config.php, system configuration files, or other sensitive data.

This vulnerability is rated as critical severity with a CVSS score of 9.8. Successful exploitation could have a devastating business impact, including a complete denial of service if core application or server files are deleted, rendering the website and associated services unavailable. The deletion of configuration files could expose sensitive information such as database credentials, leading to a significant data breach. The direct financial costs of system restoration, reputational damage, and loss of customer trust are substantial risks to the organization.

Immediate Action: Immediately update the 'Multi Uploader for Gravity Forms' plugin to the latest available version (any version after 1.1.7). After patching, review server logs for any suspicious POST requests to the WordPress AJAX endpoint that may indicate past or ongoing exploitation attempts.

Proactive Monitoring: Implement monitoring for unusual requests targeting the plupload_ajax_delete_file action, especially those originating from unknown IP addresses or containing path traversal payloads (../). Utilize a File Integrity Monitoring (FIM) solution to alert on unauthorized or unexpected deletion of critical files within the webroot and other sensitive system directories.

Compensating Controls: If immediate patching is not feasible, consider disabling and deactivating the plugin until it can be updated. Alternatively, deploy a Web Application Firewall (WAF) with rules specifically designed to block path traversal attempts targeting the vulnerable AJAX function. Hardening file system permissions to prevent the web server user from deleting critical files outside its designated directories can also limit the potential impact.

Public Exploit Available: False

Given the critical CVSS score and the fact that no authentication is required to exploit this vulnerability, this issue represents a clear and present danger to affected systems. We strongly recommend that organizations immediately apply the vendor-supplied patch for the 'Multi Uploader for Gravity Forms' plugin. This vulnerability should be treated with the highest priority, as its exploitation can lead to a complete compromise of website availability and integrity.