Security News > 2023 > May > WordPress plugin ‘Gravity Forms’ vulnerable to PHP object injection

WordPress plugin ‘Gravity Forms’ vulnerable to PHP object injection
2023-05-30 19:42

The premium WordPress plugin 'Gravity Forms,' currently used by over 930,000 websites, is vulnerable to unauthenticated PHP Object Injection.

Gravity Forms is a custom form builder website owners use for creating payment, registration, file upload, or any other form required for visitor-site interactions or transactions.

On its website, Gravity Forms claims it is used by a wide variety of large companies, including Airbnb, ESPN, Nike, NASA, PennState, and Unicef.

Website administrators using Gravity Forms are advised to apply the available security update as soon as possible.

The issue arises from that lack of user-supplied input checks for the 'maybe unserialize' function and can be triggered by submitting data to a form created with Gravity Forms.

The plugin vendor fixed the flaw by removing the use of the 'maybe unserialize' function from the Gravity Forms plugin in version 2.74.


News URL

https://www.bleepingcomputer.com/news/security/wordpress-plugin-gravity-forms-vulnerable-to-php-object-injection/

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
PHP 9 1 43 115 124 283
Wordpress 7 2 93 44 18 157
Plugin 2 0 13 1 0 14