1 min read

‘Gravity Forms’ WordPress Plugin Found Vulnerable to PHP Object Injection

Promo Protect all your devices, without slowing them down.
Free 30-day trial
‘Gravity Forms’ WordPress Plugin Found Vulnerable to PHP Object Injection

Gravity Forms, a popular WordPress plugin, has been found vulnerable to unauthenticated PHP Object Injection attacks.

The plugin is deployed on nearly a million websites worldwide, enabling users to quickly generate custom forms, such as those used for file upload, signing up, payment, surveys, or contact, on their websites.

Website security and monitoring platform PatchStack found the vulnerability, which affects all plugin versions earlier than 2.73, on March 27, and Gravity Forms’ vendor addressed it two weeks later, on April 11, in version 2.74 of the plugin. The vulnerability is now tracked as CVE-2023-28782.

“The Gravity Forms plugin vulnerability occurs when user-supplied input is not properly sanitized before being passed to the maybe_unserialize function which is a wrapper for PHP unserialize function,” reads PatchStack’s security advisory. “Since PHP allows object serialization, an unauthenticated user could pass ad-hoc serialized strings to a vulnerable unserialize call, resulting in an arbitrary PHP object(s) injection into the application scope.”

According to security experts, the flaw doesn’t require special conditions to exploit and it works even on default installations or configurations of Gravity Forms. Attackers only need to locate a “created form that contains a list field” to perform a PHP Object Injection.

Reportedly, the issue arose mainly because of the plugin’s insecure maybe_unserialize function; merely replacing the function should address the shortcoming. The WordPress security company recommends that website administrators opt for JSON instead of serialization when handling complex data structures to avoid similar situations.

Gravity Forms users are urged to update their plugins to the latest version (2.74), where the vulnerable maybe_unserialize function was completely removed.

The potential severity of the flaw underlines the importance of keeping WordPress plugins and other components up to date. Engaging in good security practices could help administrators protect their websites against devastating attacks.




Vlad's love for technology and writing created rich soil for his interest in cybersecurity to sprout into a full-on passion. Before becoming a Security Analyst, he covered tech and security topics.

View all posts

You might also like