WordPress Plugin Vulnerabilities

Gravity Forms < 2.7.4 - Unauthenticated PHP Object Injection

Description

The plugin unserializes user input via the get_field_input(), which could allow unauthenticated users to perform PHP Object Injection when a suitable gadget is present on the blog

Affects Plugins

Plugin icon
gravityforms
Fixed in 2.7.4

References

CVE
CVE-2023-28782
URL
https://patchstack.com/articles/unauthenticated-php-object-injection-in-gravity-forms-plugin/

Classification

Type
OBJECT INJECTION
OWASP top 10
A8: Insecure Deserialization
CWE
CWE-502
CVSS
8.1 (high)

Miscellaneous

Original Researcher
Rafie Muhammad
Submitter
Curtis Belt
Verified
Yes
WPVDB ID
f27efbe4-ce05-4867-bc26-3cf165b7669b

Timeline

Publicly Published
2023-05-29 (about 2 years ago)
Added
2023-06-05 (about 2 years ago)
Last Updated
2023-06-05 (about 2 years ago)

Other

Published
Title
Published
2025-01-16
Title
Quick Count <= 3.00 - Unauthenticated PHP Object Injection
Published
2025-06-09
Title
Themify Edmin <= 2.0.0 - Authenticated (Contributor+) PHP Object Injection
Published
2023-09-13
Title
Essential Blocks <= 4.2.0 - Unauthenticated PHP Object Injection via products
Published
2024-04-29
Title
Photo Gallery < 1.4.3 - Contributor+ PHP Object Injection via Shortcode
Published
2025-04-10
Title
TableOn – WordPress Posts Table Filterable < 1.0.4.4 - Unauthenticated PHP Object Injection