The vulnerability CVE-2025-23921 affects the sh1zen Multi Uploader for Gravity Forms plugin up to version 1.1.3. It allows an attacker to upload files without proper restriction on file types, including potentially dangerous files such as web shells. This can lead to remote code execution or full compromise of the web server hosting the plugin. The CVSS 3.1 base score is 9.0, reflecting network attack vector, high impact on confidentiality, integrity, and availability, and no required privileges or user interaction. No official patch or vendor advisory is currently available, and the plugin is not a cloud service, so remediation depends on vendor updates or user action.

Successful exploitation allows an unauthenticated attacker to upload malicious files, such as web shells, to the affected web server. This can lead to complete compromise of the server, including unauthorized access, data theft, modification, or destruction, and potential pivoting within the network. The vulnerability affects all installations of the plugin up to version 1.1.3. There are no known public exploits currently reported.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, users should consider disabling or removing the vulnerable plugin to prevent exploitation. Applying strict file upload restrictions or web application firewall (WAF) rules to block dangerous file types may provide temporary mitigation. Monitor vendor channels for updates and apply patches promptly once available.