{
    "file_item": {
        "filepath": "security-advisories",
        "filename": "CERT-EU-SA2023-032.pdf"
    },
    "title": "Vulnerability in Wordpress Gravity Forms Plugin",
    "serial_number": "2023-032",
    "publish_date": "31-05-2023 08:43:11",
    "description": "On May 30, 2023, an unauthenticated PHP Object Injection vulnerability has been discovered in the Wordpress' Gravity Forms plugin. This vulnerability, identified as CVE-2023-28782 (CVSS score of 8.3), may allow an unauthenticated user to pass ad-hoc serialised strings to a vulnerable \"unserialize\" call, resulting in an arbitrary PHP object(s) injection into the application scope.<br>\nThis vulnerability could be triggered in a default installation of the Gravity Forms plugin and only needs a form that contains a list field.<br>\n",
    "url_title": "2023-032",
    "content_markdown": "--- \ntitle: 'Vulnerability in Wordpress Gravity\u00a0Forms\u00a0Plugin' \nversion: '1.0'\nnumber: '2023-032'\noriginal_date: 'May 30, 2023'\ndate: 'May 31, 2023'\n---\n\n_History:_\n\n* _31/05/2023 --- v1.0 -- Initial publication_\n\n# Summary\n\nOn May 30, 2023, an unauthenticated PHP Object Injection vulnerability has been discovered in the Wordpress'\u00a0Gravity Forms plugin. This vulnerability, identified as CVE-2023-28782 (CVSS score of 8.3), may allow an unauthenticated user to pass ad-hoc serialised strings to a vulnerable `unserialize` call, resulting in an arbitrary PHP object(s) injection into the application scope [1].\n\nThis vulnerability could be triggered in a default installation of the Gravity Forms plugin and only needs a form that contains a list field.\n\n# Technical Details\n\nThe Gravity Forms plugin vulnerability occurs when user-supplied input is not properly sanitised before being passed to the `maybe_unserialize` function which is a wrapper for PHP `unserialize` function.\n\n\nThe vulnerability is found within the `get_field_input` function in the file: \n\n```\nincludes/fields/class-gf-field-list.php\n```\n\nwhich handles the input field processing of a list field on Gravity Forms.  There is also a legacy `get_legacy_field_input` function which has identical code that is also vulnerable. \n\nThe input value comes from the `$value` variable, since there is no proper check or sanitisation on the variable and the `$value` variable is directly passed to the `maybe_unserialize` function, any unauthenticated user is able to trigger PHP object injection by submitting to a list field on the form created from the Gravity Forms plugin.\n\nThe `get_field_input` function from the list field could be called from the `get_field_input` function located in `common.php` which would then act as an initial handler of input and would forward the process to each field function handler.\n\n# Affected Products\n\nThe affected product is:\n\n- Gravity Forms plugin version 2.7.3 and below.\n\n# Recommendations\n\nTo mitigate this vulnerability, users should update the respective plugins to at least version 2.7.4.\n\n# References\n\n[1] <https://patchstack.com/articles/unauthenticated-php-object-injection-in-gravity-forms-plugin/> \n\n[2] <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-28782>\n",
    "content_html": "<p><em>History:</em></p><ul><li><em>31/05/2023 --- v1.0 -- Initial publication</em></li></ul><h2 id=\"summary\">Summary</h2><p>On May 30, 2023, an unauthenticated PHP Object Injection vulnerability has been discovered in the Wordpress'\u00a0Gravity Forms plugin. This vulnerability, identified as CVE-2023-28782 (CVSS score of 8.3), may allow an unauthenticated user to pass ad-hoc serialised strings to a vulnerable <code>unserialize</code> call, resulting in an arbitrary PHP object(s) injection into the application scope [1].</p><p>This vulnerability could be triggered in a default installation of the Gravity Forms plugin and only needs a form that contains a list field.</p><h2 id=\"technical-details\">Technical Details</h2><p>The Gravity Forms plugin vulnerability occurs when user-supplied input is not properly sanitised before being passed to the <code>maybe_unserialize</code> function which is a wrapper for PHP <code>unserialize</code> function.</p><p>The vulnerability is found within the <code>get_field_input</code> function in the file: </p><pre><code>includes/fields/class-gf-field-list.php\n</code></pre><p>which handles the input field processing of a list field on Gravity Forms. There is also a legacy <code>get_legacy_field_input</code> function which has identical code that is also vulnerable. </p><p>The input value comes from the <code>$value</code> variable, since there is no proper check or sanitisation on the variable and the <code>$value</code> variable is directly passed to the <code>maybe_unserialize</code> function, any unauthenticated user is able to trigger PHP object injection by submitting to a list field on the form created from the Gravity Forms plugin.</p><p>The <code>get_field_input</code> function from the list field could be called from the <code>get_field_input</code> function located in <code>common.php</code> which would then act as an initial handler of input and would forward the process to each field function handler.</p><h2 id=\"affected-products\">Affected Products</h2><p>The affected product is:</p><ul><li>Gravity Forms plugin version 2.7.3 and below.</li></ul><h2 id=\"recommendations\">Recommendations</h2><p>To mitigate this vulnerability, users should update the respective plugins to at least version 2.7.4.</p><h2 id=\"references\">References</h2><p>[1] <a rel=\"noopener\" target=\"_blank\" href=\"https://patchstack.com/articles/unauthenticated-php-object-injection-in-gravity-forms-plugin/\">https://patchstack.com/articles/unauthenticated-php-object-injection-in-gravity-forms-plugin/</a> </p><p>[2] <a rel=\"noopener\" target=\"_blank\" href=\"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-28782\">https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-28782</a></p>",
    "licence": {
        "title": "Creative Commons Attribution 4.0 International (CC-BY 4.0)",
        "link": "https://creativecommons.org/licenses/by/4.0/",
        "restrictions": "https://cert.europa.eu/legal-notice",
        "author": "The Cybersecurity Service for the Union institutions, bodies, offices and agencies"
    }
}