Security issue in the WordPress Gravity Forms plugin

The popular WordPress plugin "Gravity Forms", currently used by over 930,000 websites, is vulnerable to unauthenticated PHP object injection. "Gravity Forms" is a customizable form-building tool used by website owners to make payments, registrations, file uploads, or any other forms needed for visitor-site interactions or transactions. Numerous large companies, including Airbnb, ESPN, Nike, NASA, PennState and Unicef, use this tool, as stated on the "Gravity Forms" website. The vulnerability, known as CVE-2023-28782, affects all versions of the plugin from 2.73 onwards.

Vulnerability discovery and correction

PatchStack discovered the vulnerability on March 27, 2023 and the vendor fixed it by releasing version 2.7.4, which was available on April 11, 2023. Administrators of websites using "Gravity Forms" are advised to apply the security update as soon as possible.

Details and consequences of the problem

The problem stems from the lack of checks on user-provided input for the "maybe_unserialize" function and can be triggered by submitting data to a form created with "Gravity Forms". "Because PHP allows object serialization, an unauthenticated user could send ad hoc serialized strings to a vulnerable unserialize call, resulting in arbitrary injection of PHP objects into application scope", PatchStack warns in the report. Despite the potential severity of CVE-2023-28782, PatchStack analysts did not find a significant property-oriented programming (POP) chain in the vulnerable plugin, mitigating some of the risk.

Future solution and precautions

However, the risk remains severe if the same site uses other plugins or themes that contain a POP chain, which is not uncommon considering the wide range of WordPress plugins and themes available and the varying levels of code quality and security awareness among developers. In such cases, the CVE-2023-28782 exploit could lead to arbitrary file access and modification, user/member data leakage, code execution, and more. The plugin vendor fixed the issue by removing the use of the "maybe_unserialize" function from the "Gravity Forms" plugin in version 2.74. It is important to apply all updates on all plugins and themes active on your WordPress site, as security fixes can eliminate attack vectors, such as POP chains, which could be exploited in this case to launch malicious attacks.