Home / Threat Intelligence bulletins / Gravity Forms WordPress plugin vulnerable to PHP object injection

Target Industry

Indiscriminate, opportunistic targeting.

Overview

Gravity Forms is a plugin that website owners can use to create custom forms for transactions involving site visitors, such as payment forms, registration forms and file upload forms, among others. A vulnerability within the plugin, tracked as CVE-2023-28782 (CVSSv3 score: 8.3), affects all plugin versions 2.7.3 and lower. The bug was found on 27th March 2023 by PatchStack, and addressed by the vendor on 11th April 2023, with the release of version 2.7.4. The problem is caused by the ‘maybe_unserialize’ method not having checks for user-supplied input, and it can emerge by submitting data to Gravity Forms.

Impact

The risk is still severe if the same website uses additional plugins or themes that have a Property Oriented Programming (POP) chain. This isn’t unusual given the variety of WordPress plugins and themes available, as well as the various standards of code quality and developer security awareness. Exploiting CVE-2023-28782 in those circumstances may result in unauthorised file access and modification, user/member data exfiltration, code execution, and other things.

Affected Products

The premium WordPress plugin Gravity Forms version 2.7.3 and under.

Containment, Mitigations & Remediations

By deleting the ‘maybe_unserialize’ method from the Gravity Forms plugin in version 2.74, the plugin’s developer remediated the vulnerability. Applying updates to all active plugins and themes on a WordPress website is particularly crucial since security updates may remove attack vectors, such as POP chains that may be used in this situation to launch attacks.

Indicators of Compromise

No specific Indicators of Compromise (IoCs) are available currently.

Threat Landscape

Over 930,000 websites presently use the premium WordPress plugin Gravity Forms which is vulnerable to unauthenticated PHP Object Injection. This provides threat actors with a relatively large attack surface. WordPress controls a substantial percentage of the website market share. As such, vulnerable WordPress websites may become prominent targets given that threat actors often use a combination of likelihood and asset value to decide which attack surfaces to focus their time on. Threat actors will continue to seek to exploit vulnerabilities present in vulnerable websites in an effort to extract the sensitive information they contain.

Threat Group

No attribution to specific threat actors or groups has been identified at the time of writing.

Mitre Methodologies

T1055 – Process Injection

Further Information

CVE-2023-28782: PHP Object Injection Flaw in WordPress Gravity Forms Plugin

PHP Pop Chains

WordPress plugin ‘Gravity Forms’ vulnerable to PHP object injection

 

Intelligence Terminology Yardstick