CVE-2025-14344 is a critical security vulnerability classified under CWE-22 (Improper Limitation of a Pathname to a Restricted Directory, commonly known as path traversal) found in the Multi Uploader for Gravity Forms plugin for WordPress, developed by sh1zen. The flaw exists in the 'plupload_ajax_delete_file' function, which fails to properly validate file paths before performing deletion operations. This lack of validation enables unauthenticated attackers to craft malicious requests that traverse directories and delete arbitrary files on the web server hosting the plugin. Since the vulnerability affects all versions up to and including 1.1.7, any unpatched installation is vulnerable. The CVSS v3.1 base score of 9.8 reflects the critical nature of this issue, with attack vector being network-based, requiring no privileges or user interaction, and impacting confidentiality, integrity, and availability. The vulnerability could lead to deletion of critical system or application files, potentially causing denial of service, data loss, or enabling further attacks by removing security controls or logs. Although no public exploits have been reported yet, the simplicity of exploitation and the plugin's widespread use in WordPress environments make this a high-risk threat. The absence of an official patch at the time of publication necessitates immediate defensive measures to mitigate risk.

For European organizations, this vulnerability poses a severe risk to the integrity and availability of web servers running WordPress sites with the affected plugin. Successful exploitation can lead to arbitrary file deletion, resulting in data loss, service outages, and potential compromise of sensitive information. Organizations relying on Gravity Forms for critical business processes may experience operational disruptions. Additionally, deletion of security or log files could hinder incident response and forensic investigations. The threat is particularly acute for entities with public-facing WordPress installations, including e-commerce, government portals, and service providers. The ease of exploitation without authentication increases the attack surface, potentially enabling widespread automated attacks. This could lead to reputational damage, regulatory non-compliance (e.g., GDPR if personal data is affected), and financial losses. Given the plugin’s integration in many European websites, the impact could be broad and significant if not addressed promptly.

1. Immediately audit all WordPress installations to identify the presence of the Multi Uploader for Gravity Forms plugin and verify the version in use. 2. Apply any available patches or updates from the vendor as soon as they are released. In the absence of an official patch, consider temporarily disabling or removing the plugin to eliminate the attack vector. 3. Implement strict file system permissions to limit the web server’s ability to delete or modify critical files outside designated upload directories. 4. Deploy and configure a Web Application Firewall (WAF) to detect and block suspicious requests targeting the vulnerable function, especially those attempting path traversal sequences. 5. Monitor server logs for unusual deletion requests or errors related to file operations. 6. Employ intrusion detection systems to alert on anomalous activities. 7. Educate site administrators on the risks and ensure secure plugin management practices. 8. Consider isolating WordPress instances in containerized or sandboxed environments to limit potential damage. 9. Regularly back up website data and configurations to enable rapid recovery in case of file deletion.