Medium severity6.8NVD Advisory· Published Dec 24, 2025· Updated Apr 15, 2026

CVE-2025-13407

Description

The Gravity Forms WordPress plugin before 2.9.23.1 does not properly prevent users from uploading dangerous files through its chunked upload functionality, allowing attackers to upload PHP files to affected sites and achieve Remote Code Execution, granted they can discover or enumerate the upload path.

Affected products

WordPress/Gravityformsinferred
Range: <2.9.23.1
Package: https://wordpress.org/plugins/gravityforms

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

wpscan.com/vulnerability/e09908fb-f5ad-45ca-8698-c0d596fd39cc/nvd

News mentions

No linked articles in our index yet.

cvss	0.442
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000