WordPress plugin ‘Gravity Forms’ vulnerable to PHP object injection

The premium WordPress plugin 'Gravity Forms,' currently used by over 930,000 websites, is vulnerable to unauthenticated PHP Object Injection.

Gravity Forms is a custom form builder website owners use for creating payment, registration, file upload, or any other form required for visitor-site interactions or transactions.

On its website, Gravity Forms claims it is used by a wide variety of large companies, including Airbnb, ESPN, Nike, NASA, PennState, and Unicef.

The vulnerability, which is tracked as CVE-2023-28782, impacts all plugin versions from 2.73 and below.

The flaw was discovered by PatchStack on March 27, 2023, and fixed by the vendor with the release of version 2.7.4, which was made available on April 11, 2023.

Website administrators using Gravity Forms are advised to apply the available security update as soon as possible.

Flaw details

The issue arises from that lack of user-supplied input checks for the 'maybe_unserialize' function and can be triggered by submitting data to a form created with Gravity Forms.

"Since PHP allows object serialization, an unauthenticated user could pass ad-hoc serialized strings to a vulnerable unserialize call, resulting in an arbitrary PHP object(s) injection into the application scope," warns PatchStack in the report.

"Note that this vulnerability could be triggered on a default installation or configuration of the Gravity Forms plugin and only needs a created form that contains a list field."

Despite the potential severity of CVE-2023-28782, PatchStack's analysts could not find a significant POP (property-oriented programming) chain in the vulnerable plugin, somewhat mitigating the risk.

However, the risk remains severe if the same site uses other plugins or themes that contain a POP chain, which isn't uncommon considering the wide range of available WordPress plugins and themes and the varying levels of code quality and security awareness among developers.

In those cases, exploitation of CVE-2023-28782 could lead to arbitrary file access and modification, user/member data exfiltration, code execution, and more.

The plugin vendor fixed the flaw by removing the use of the 'maybe_unserialize' function from the Gravity Forms plugin in version 2.74.

It is also important to apply any updates across all plugins and themes active on your WordPress site, as security fixes may eliminate attack vectors, like POP chains, that could be leveraged in this case to launch damaging attacks.