WordPress plugin ‘Gravity Forms’ vulnerable to PHP object injection


Over 930,000 websites presently utilise the premium WordPress plugin Gravity Forms, which is vulnerable to unauthenticated PHP Object Injection.Gravity Forms is a tool that website owners can use to create custom forms for transactions involving site visitors, such as payment forms, registration forms, file upload forms, and others.

According to Gravity Forms website, a vast number of well-known corporations utilise it, including Airbnb, ESPN, Nike, NASA, PennState, and Unicef. CVE-2023-28782 is the tracking number for the vulnerability, which affects all plugin versions 2.73 and lower. The bug was found on March 27, 2023, by PatchStack, and addressed by the vendor on April 11, 2023, with the release of version 2.7.4.

Read More…