CVE-2025-14344 is a critical security vulnerability classified under CWE-22 (Improper Limitation of a Pathname to a Restricted Directory, commonly known as path traversal) found in the Multi Uploader for Gravity Forms plugin for WordPress, developed by sh1zen. This vulnerability affects all versions up to and including 1.1.7. The root cause lies in the 'plupload_ajax_delete_file' function, which fails to properly validate and sanitize user-supplied file path inputs. As a result, an unauthenticated attacker can craft malicious requests to delete arbitrary files on the web server hosting the WordPress site. The vulnerability does not require any authentication or user interaction, making it trivially exploitable remotely. The CVSS v3.1 base score is 9.8 (critical), reflecting the ease of exploitation (attack vector: network), no privileges required, no user interaction, and a high impact on confidentiality, integrity, and availability. While no known exploits are currently reported in the wild, the potential for destructive attacks such as deleting critical application files, configuration files, or other sensitive data is significant. The plugin's widespread use in WordPress sites increases the attack surface. The absence of available patches at the time of disclosure necessitates immediate mitigation efforts by administrators. This vulnerability exemplifies the risks of insufficient input validation in web applications, especially in file handling functions.

The impact of CVE-2025-14344 is severe for organizations running WordPress sites with the vulnerable Multi Uploader for Gravity Forms plugin. Successful exploitation allows attackers to delete arbitrary files on the server, which can lead to complete site defacement, loss of critical data, disruption of business operations, and potential compromise of other systems if configuration or credential files are deleted or corrupted. The deletion of key files can cause denial of service, forcing costly recovery and incident response efforts. Since the vulnerability requires no authentication, attackers can exploit it at scale, increasing the risk of widespread damage. Organizations relying on WordPress for e-commerce, content management, or customer engagement are particularly vulnerable to reputational damage and financial loss. Additionally, the ability to delete files might be leveraged as part of a multi-stage attack to facilitate further compromise or evade detection. The lack of known exploits currently provides a window for proactive defense, but the critical severity score underscores the urgency of addressing this flaw.

To mitigate CVE-2025-14344, organizations should immediately take the following specific actions: 1) Disable or remove the Multi Uploader for Gravity Forms plugin until a secure patch is released. 2) Implement strict input validation and sanitization on all file path parameters, ensuring that user-supplied paths cannot traverse directories outside of intended upload or temporary directories. 3) Employ web application firewalls (WAFs) with custom rules to detect and block suspicious deletion requests containing path traversal patterns such as '../'. 4) Restrict file system permissions for the web server user to limit deletion rights only to necessary directories, preventing arbitrary file deletion even if exploited. 5) Monitor server logs for unusual file deletion activity or repeated failed attempts to access restricted paths. 6) Keep WordPress core and all plugins updated, and subscribe to vendor security advisories for timely patch deployment. 7) Consider implementing application-level controls that require authentication and authorization for file deletion operations to reduce exposure. These targeted mitigations go beyond generic advice by focusing on the specific vulnerable function and attack vector.