WordPress Plugin Vulnerabilities

Gravity Forms < 2.7.5 - Reflected XSS

Description

The plugin does not escape generated URLs before outputting them in attributes, leading to Reflected Cross-Site Scripting which could be used against high-privileged users such as admin.

Proof of Concept

Affects Plugins

Plugin icon
gravityforms
Fixed in 2.7.5

References

CVE
CVE-2023-2701

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
7.1 (high)

Miscellaneous

Original Researcher
Fioravante Souza (WPScan)
Submitter website
https://wpscan.com
Verified
Yes
WPVDB ID
298fbe34-62c2-4e56-9bdb-90da570c5bbe

Timeline

Publicly Published
2023-06-21 (about 2 years ago)
Added
2023-06-21 (about 2 years ago)
Last Updated
2023-06-21 (about 2 years ago)

Other

Published
Title
Published
2022-08-31
Title
Image Hover Effects Ultimate < 9.8.0 - Authenticated Stored XSS
Published
2018-07-28
Title
Woocommerce Jetpack < 3.8.0 - XSS
Published
2024-11-08
Title
Postify: Post Layout For Elementor <= 1.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2022-02-18
Title
Essential Addons for Elementor Lite < 5.0.9 - Reflected Cross-Site Scripting
Published
2021-11-15
Title
Pixel Cat Lite < 2.6.3 - Admin+ Stored Cross-Site Scripting