CVE-2025-14344 is a critical security vulnerability classified as CWE-22 (Improper Limitation of a Pathname to a Restricted Directory, commonly known as path traversal) found in the Multi Uploader for Gravity Forms plugin developed by sh1zen for WordPress. The vulnerability resides in the 'plupload_ajax_delete_file' function, which handles AJAX requests to delete uploaded files. Due to insufficient validation and sanitization of the file path parameter, an unauthenticated attacker can craft malicious requests to traverse directories and delete arbitrary files on the server hosting the WordPress site. This can lead to severe consequences including deletion of critical system files, web application files, or other sensitive data, resulting in denial of service, data loss, or potential further compromise of the server. The vulnerability affects all versions up to and including 1.1.7 of the plugin. The CVSS v3.1 base score of 9.8 indicates a critical severity with network attack vector, no required privileges, no user interaction, and high impact on confidentiality, integrity, and availability. While no public exploits have been reported yet, the vulnerability's characteristics make it a prime target for attackers. The plugin is widely used in WordPress environments, which are prevalent across many European organizations, increasing the potential attack surface. The lack of authentication requirement and ease of exploitation necessitate urgent attention from administrators to prevent exploitation.

For European organizations, the impact of this vulnerability can be substantial. Many businesses and public sector entities rely on WordPress for their web presence, often using Gravity Forms and its extensions for critical data collection and user interaction. An attacker exploiting this vulnerability could delete essential files, causing website downtime, loss of data integrity, and disruption of services. This could lead to reputational damage, financial losses, and potential regulatory non-compliance, especially under GDPR where data availability and integrity are critical. Additionally, deletion of configuration or security files could open pathways for further compromise, including privilege escalation or persistent backdoors. Organizations with limited incident response capabilities or outdated plugin versions are particularly vulnerable. The vulnerability’s unauthenticated nature means attackers can exploit it remotely without prior access, increasing the risk of widespread attacks. The absence of known exploits currently provides a window for proactive mitigation, but the critical severity demands immediate action.

1. Immediately identify and inventory all WordPress sites using the sh1zen Multi Uploader for Gravity Forms plugin, especially versions up to 1.1.7. 2. Disable or uninstall the vulnerable plugin until a patch is released. 3. Monitor official vendor channels and security advisories for patches or updates addressing CVE-2025-14344 and apply them promptly. 4. Implement Web Application Firewall (WAF) rules to detect and block suspicious requests targeting the 'plupload_ajax_delete_file' endpoint, particularly those containing path traversal patterns (e.g., '../'). 5. Restrict file system permissions for the web server user to limit the scope of file deletion capabilities, ensuring the plugin cannot delete files outside designated upload directories. 6. Conduct regular backups of website files and databases to enable rapid recovery in case of file deletion or other damage. 7. Monitor web server and application logs for unusual deletion requests or errors related to file operations. 8. Educate site administrators about the risks of installing unverified plugins and the importance of timely updates. 9. Consider deploying intrusion detection systems (IDS) that can alert on anomalous file deletion activities. 10. Review and harden WordPress security configurations to reduce overall attack surface.