Recently, researchers have discovered an unvalidated PHP Object Injection vulnerability (an error that does not properly filter input allowing hackers to perform command injection attacks) that exists in this Plugin.
The vulnerability in Gravity Forms, with identifier CVE-2023-28782, affects all versions 2.7. Successful exploitation of the vulnerability could lead to arbitrary file access and changes, theft of user data, code execution, etc.
Vulnerability details
The vulnerability stems from a lack of checking for user input for the ‘maybe_unserialize’ function and can be triggered by submitting data to a form created with Gravity Forms.
As the experts warn, because PHP allows object serialization, an unauthenticated user can also pass arbitrary serialization strings into the flawed unserialize function, resulting in insert the PHP object into the application.
This vulnerability can be enabled on the default installation or configuration of the Gravity Forms plugin and requires only a created form containing a list field.
Vulnerability function
Although CVE-2023-28782 is a critical vulnerability, analysts could not find a POP (property-oriented programming) string in the Gravity Forms plugin. This somewhat mitigates the risk that this vulnerability poses. However, the risk still exists if the site uses other plugins or themes that contain a POP string.
The vendor removed the use of the ‘maybe_unserialize’ function and addressed the vulnerability in version 2.7.4 released on April 11, 2023. Therefore, site administrators using Gravity Forms should update the patch as soon as possible.
