CVE-2024-13378 MEDIUM

CVE-2024-13378: GravityForms 2.9.0.1 - 2.9.1.3 - Unauthenticated Stored Cross-Site Scripting via 'style_settings' parameter

Vendor Gravity Forms
Product Gravity Forms
Weakness CWE-79 · XSS
Published January 17, 2025
Last update February 12, 2025

CVSS base score

5.4/10
Attack vector Network
Attack complexity High
Privileges required None
User interaction None
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N

What the vulnerability does

01Description

The Gravity Forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘style_settings’ parameter in versions 2.9.0.1 up to, and including, 2.9.1.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The attack is only successful in the Chrome web browser, and requires directly browsing the media file via the attachment post.

Explanation of Vulnerability in Simple Terms

02Summary

Gravity Forms versions 2.9.0.1 through 2.9.1.3 contain a cross-site scripting vulnerability that allows an attacker to inject malicious scripts affecting multiple users. The vulnerability requires high attack complexity but does not require authentication or user interaction. The impact is limited to low-level confidentiality and integrity compromise across the affected scope.

What an attacker can do

03Attacker Capabilities

Inject malicious scripts that execute in users' browsers and steal or modify data.

Potential impact on your site

04Site Impact

Users visiting affected pages may have their sessions compromised or data altered without their knowledge.

Conditions required to exploit

05Prerequisites

Network access to the site; high attack complexity (specific conditions must be met).

Key dates

06Disclosure timeline

January 17, 2025 CVE published
February 12, 2025 Record updated

Related vulnerabilities

08Related CVE