The widely used WordPress plugin ‘Gravity Forms,’ employed by over 930,000 websites, has been identified with a security vulnerability involving unauthenticated PHP Object Injection.
Gravity Forms serves as a customized form builder for website owners, facilitating the creation of payment, registration, file upload, or other essential forms for visitor-site interactions and transactions.
According to its website, Gravity Forms boasts a user base that includes prominent companies such as Airbnb, ESPN, Nike, NASA, PennState, and Unicef.
The vulnerability, designated as CVE-2023-28782, affects all plugin versions up to 2.73. PatchStack uncovered this flaw on March 27, 2023, and the vendor promptly addressed it by releasing version 2.7.4 on April 11, 2023.
Administrators using Gravity Forms are strongly urged to apply the available security update promptly.
Details of the Vulnerability:
The vulnerability stems from a lack of input checks for user-supplied data in the ‘maybe_unserialize’ function. It can be exploited by submitting data to a form generated with Gravity Forms.
PatchStack’s report warns that, due to PHP allowing object serialization, an unauthorized user could submit ad-hoc serialized strings to a vulnerable unserialize call, leading to the injection of arbitrary PHP objects into the application scope.
It is noteworthy that this vulnerability could be triggered on a default installation or configuration of the Gravity Forms plugin and only requires a created form containing a list field.
Despite the potential seriousness of CVE-2023-28782, PatchStack’s analysts did not identify a significant Property-Oriented Programming (POP) chain in the vulnerable plugin, somewhat mitigating the risk.
However, the risk remains considerable for websites utilizing other plugins or themes that do contain a POP chain—a not uncommon scenario given the diverse range of available WordPress plugins and themes and varying levels of code quality and security awareness among developers.
In such cases, exploiting CVE-2023-28782 could result in arbitrary file access and modification, user/member data exfiltration, code execution, and more.
The plugin vendor resolved the issue by eliminating the use of the ‘maybe_unserialize’ function from the Gravity Forms plugin in version 2.74.
It is crucial to apply updates across all active plugins and themes on your WordPress site, as security fixes may eliminate potential attack vectors like POP chains that could be exploited for harmful attacks.