How to fix CVE-2025-14344?

Within 24 hours: (1) Identify all WordPress instances with Multi Uploader for Gravity Forms plugin installed via plugin audit or WordPress plugin scanner; (2) immediately deactivate and remove the plugin from all environments if business function permits, or isolate affected servers from internet access if plugin is business-critical; (3) review file integrity logs and backups for evidence of unauthorized file deletion. Within 7 days: (1) update to Multi Uploader for Gravity Forms version >1.1.7 once released; (2) restore any deleted critical files from verified clean backups; (3) implement Web Application Firewall (WAF) rules blocking requests to plupload_ajax_delete_file endpoint if patch delay expected. Within 30 days: (1) complete full WordPress security audit including all active plugins; (2) establish plugin version-pinning and automated vulnerability scanning in CI/CD pipeline; (3) document incident response actions and update runbooks for plugin vulnerabilities.

Is WordPress affected by CVE-2025-14344?

CVE-2025-14344 is a critical arbitrary file deletion vulnerability in Multi Uploader for Gravity Forms plugin (versions ≤1.1.7) that allows unauthenticated attackers to delete any file on affected WordPress servers without credentials or user interaction.

CVE-2025-14344

CRITICAL

2025-12-12 [email protected]

9.8

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Apr 08, 2026 - 18:38 vuln.today

CVE Published

Dec 12, 2025 - 04:15 nvd

CRITICAL 9.8

Description

The Multi Uploader for Gravity Forms plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the 'plupload_ajax_delete_file' function in all versions up to, and including, 1.1.7. This makes it possible for unauthenticated attackers to delete arbitrary files on the server.

Analysis

Arbitrary file deletion in Multi Uploader for Gravity Forms (WordPress plugin ≤1.1.7) allows unauthenticated remote attackers to delete any file on the server through insufficient path validation in the plupload_ajax_delete_file function. Exploitation requires no credentials or user interaction. CVSS 9.8 Critical severity reflects network-accessible attack with high impact to confidentiality, integrity, and availability. Low observed exploitation activity (EPSS 0.37%). No public exploit identified at time of analysis.

Technical Context

Path traversal (CWE-22) in plupload_ajax_delete_file function (GFMUHandlePluploader.class.php lines 41-43) lacks sanitization of user-controlled file paths. Unauthenticated execution (PR:N) permits direct server file deletion without authentication barriers, affecting all 1.1.7 and prior releases.

Affected Products

Multi Uploader for Gravity Forms plugin versions ≤1.1.7, WordPress platform. Vendor: Unknown/Third-party developer. CPE not provided in source data.

Remediation

Upstream fix available (changeset 3421317); released patched version not independently confirmed at time of analysis. Immediately deactivate Multi Uploader for Gravity Forms plugin ≤1.1.7 until vendor confirms released fix version. Monitor WordPress plugin repository for version >1.1.7. Apply security hardening: restrict wp-admin access, implement file integrity monitoring for critical directories, review server logs for unauthorized deletion attempts. Vendor advisory and technical details: https://www.wordfence.com/threat-intel/vulnerabilities/id/346af237-0411-4cc4-9544-eab697385a2f?source=cve and https://plugins.trac.wordpress.org/changeset/3421317/

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.4

CVSS: +49

POC: 0

CVE-2025-14344 vulnerability details – vuln.today

Back

CVE-2025-14344

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

CVE-2025-14344

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

External POC / Exploit Code