The popular WordPress plugin called ‘Gravity Forms,’ which is currently utilized by more than 930,000 websites, has recently been found to have a vulnerability related to unauthenticated PHP Object Injection.

Gravity Forms serves as a customizable form builder that enables website owners to create various types of forms, including payment forms, registration forms, file upload forms, and more. It is widely used by many prominent companies such as Airbnb, ESPN, Nike, NASA, PennState, and Unicef.

Tracked as CVE-2023-28782, this vulnerability affects all versions of the plugin up to and including version 2.73.

On March 27, 2023, PatchStack, a security research company, discovered this flaw and promptly notified the vendor. The vendor addressed the issue by releasing version 2.7.4 of the plugin on April 11, 2023.

If you are an administrator using Gravity Forms, it is strongly advised to apply the security update as soon as possible to ensure the protection of your website.

Details of the Vulnerability

The vulnerability stems from a lack of input validation in the ‘maybe_unserialize’ function. The exploitation of this vulnerability occurs when an unauthenticated user submits data through a form created with Gravity Forms.

According to PatchStack’s report, “Since PHP allows object serialization, an unauthenticated user could pass ad-hoc serialized strings to a vulnerable unserialize call, resulting in an arbitrary PHP object(s) injection into the application scope.”

It is worth noting that this vulnerability can be triggered on a default installation or configuration of the Gravity Forms plugin, requiring only the presence of a form containing a list field.

The Vulnerable Function

PatchStack researchers did not identify a significant Property-Oriented Programming (POP) chain within the vulnerable plugin, which somewhat reduces the risk associated with CVE-2023-28782.

However, if the affected website employs other plugins or themes that do contain a POP chain, the risk remains substantial. Considering the wide range of available WordPress plugins and themes, as well as varying levels of code quality and security awareness among developers, it is not uncommon for additional vulnerabilities to be present.

In such cases, exploitation of CVE-2023-28782 could potentially lead to arbitrary file access and modification, exfiltration of user/member data, code execution, and other damaging outcomes.

To address this vulnerability, the plugin vendor removed the use of the ‘maybe_unserialize’ function in Gravity Forms version 2.74.

It is crucial to apply updates for all active plugins and themes on your WordPress site, as security fixes often eliminate potential attack vectors such as POP chains that could be exploited to launch malicious attacks.

If you require assistance with this please contact us today.