Security News > 2023 > May > WordPress plugin ‘Gravity Forms’ vulnerable to PHP object injection
The premium WordPress plugin 'Gravity Forms,' currently used by over 930,000 websites, is vulnerable to unauthenticated PHP Object Injection.
Gravity Forms is a custom form builder website owners use for creating payment, registration, file upload, or any other form required for visitor-site interactions or transactions.
On its website, Gravity Forms claims it is used by a wide variety of large companies, including Airbnb, ESPN, Nike, NASA, PennState, and Unicef.
Website administrators using Gravity Forms are advised to apply the available security update as soon as possible.
The issue arises from that lack of user-supplied input checks for the 'maybe unserialize' function and can be triggered by submitting data to a form created with Gravity Forms.
The plugin vendor fixed the flaw by removing the use of the 'maybe unserialize' function from the Gravity Forms plugin in version 2.74.