Gravity Forms Plugin Exposes WordPress Sites to Hackers

Users with the WordPress plugin ‘Gravity Forms‘ on their website should be aware of a serious security vulnerability that could allow attackers to inject malicious PHP objects into the site. Gravity Forms is a premium plugin that lets you create custom forms for various purposes, such as payment, registration, file upload, or surveys. According to its website, it is used by over 930,000 websites and by many large companies, such as Airbnb, ESPN, Nike, NASA, and Unicef.

The vulnerability, which is tracked as CVE-2023-28782, affects all plugin versions from 2.73 and below. It was discovered by PatchStack on March 27, 2023, and fixed by the vendor with the release of version 2.74 on April 11, 2023. The flaw stems from the lack of user-supplied input checks for the ‘maybe_unserialize’ function and can be triggered by submitting data to a form created with Gravity Forms.

As PatchStack explains in their report, “Since PHP allows object serialization, an unauthenticated user could pass ad-hoc serialized strings to a vulnerable unserialize call, resulting in an arbitrary PHP object(s) injection into the application scope.” This means that an attacker could exploit this vulnerability to access or modify files, exfiltrate user data, execute code, or install malware on the affected site.

However, the risk of exploitation is not very high if the site only uses Gravity Forms and no other plugins or themes that contain a POP (property-oriented programming) chain. A POP chain is a sequence of PHP objects that can be used to perform arbitrary operations on the target system. PatchStack’s analysts could not find a significant POP chain in the vulnerable plugin itself, which limits the impact of the vulnerability.

Nonetheless, the risk remains severe if the site uses other plugins or themes that have a POP chain, which is quite common in the WordPress ecosystem. In those cases, an attacker could leverage CVE-2023-28782 to launch more damaging attacks by using the POP chain of another plugin or theme.

The plugin vendor fixed the flaw by removing the use of the ‘maybe_unserialize’ function from the Gravity Forms plugin in version 2.74. Therefore, website administrators using Gravity Forms are advised to update their plugin as soon as possible to prevent potential attacks. It is also important to keep all other plugins and themes updated as well, as they may contain security fixes that could prevent attackers from exploiting this or other vulnerabilities.

PHP Object Injection is a serious type of vulnerability that can compromise the security and functionality of any WordPress site. By using Gravity Forms version 2.74 or higher, users can protect their sites from this threat and ensure a safe and smooth experience for visitors.

Keep in touch with our blog to read the latest news and innovations in the cybersecurity world.