What the vulnerability does
01Description
The Gravity Forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘style_settings’ parameter in versions 2.9.0.1 up to, and including, 2.9.1.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The attack is only successful in the Chrome web browser, and requires directly browsing the media file via the attachment post.
Explanation of Vulnerability in Simple Terms
02Summary
Gravity Forms versions 2.9.0.1 through 2.9.1.3 contain a cross-site scripting vulnerability that allows an attacker to inject malicious scripts affecting multiple users. The vulnerability requires high attack complexity but does not require authentication or user interaction. The impact is limited to low-level confidentiality and integrity compromise across the affected scope.
What an attacker can do
03Attacker Capabilities
Inject malicious scripts that execute in users' browsers and steal or modify data.
Potential impact on your site
04Site Impact
Users visiting affected pages may have their sessions compromised or data altered without their knowledge.
Conditions required to exploit
05Prerequisites
Network access to the site; high attack complexity (specific conditions must be met).
Key dates
06Disclosure timeline
January 17, 2025
CVE published
February 12, 2025
Record updated