CVE-2023-28782: PHP Object Injection Flaw in WordPress Gravity Forms Plugin with 1 million active installations

A recent security vulnerability has been unearthed in the popular WordPress plugin Gravity Forms, threatening the very fabric of the plugin’s security and the integrity of nearly a million active websites utilizing its service. The security vulnerability identified is an Unauthenticated PHP Object Injection, posing a significant risk to users and sending waves of concern across the WordPress community.

Gravity Forms, a prominent WordPress plugin, simplifies the creation and integration of custom forms, quizzes, and surveys on websites. Its popularity stems from its user-friendly interface and an array of flexible functionalities that effortlessly tailor to a website’s specific requirements. However, the discovery of an Unauthenticated PHP Object Injection vulnerability, with a CVE score of 8.3 and marked as CVE-2023-28782, casts a cloud over the plugin’s otherwise sterling reputation. Rafie Muhammad of Patchstack deserves recognition for identifying and reporting this PHP Object Injection vulnerability.

The root cause of this vulnerability is the ‘maybe_unserialize’ function. By design, this function is a wrapper for PHP unserialize function, which, under normal circumstances, deserializes user-supplied input. However, the lurking menace is unveiled when this input is not appropriately sanitized before being processed.

public function get_field_input( $form, $value = '', $entry = null ) {



    if( GFCommon::is_legacy_markup_enabled( $form ) ) {

        return $this->get_legacy_field_input( $form, $value, $entry );

    }



    $form_id        = $form['id'];

    $is_form_editor = $this->is_form_editor();



    if ( ! empty( $value ) ) {

        $value = maybe_unserialize( $value );

    }

This gaping hole in the security fabric allows unauthenticated users to manipulate serialized strings passed into the vulnerable unserialize call, leading to an arbitrary injection of PHP object(s) into the application’s scope. The core of this vulnerability lies within the ‘get_field_input’ function, nestled within the class-gf-field-list.php file, which, in turn, deals with input field processing of a list field.

The ‘get_field_input’ function and its legacy counterpart, the ‘get_legacy_field_input’, both house the same vulnerable code. In their respective architectures, they lack the crucial element of scrutinizing and sanitizing the $value variable. Consequently, any unauthenticated user can trigger a PHP object injection by submitting to a list field in a form created using Gravity Forms.

public static function get_field_input( $field, $value = '', $lead_id = 0, $form_id = 0, $form = null ) {



    if ( ! $field instanceof GF_Field ) {

        $field = GF_Fields::create( $field );

    }



    $is_form_editor  = GFCommon::is_form_editor();

    $is_entry_detail = GFCommon::is_entry_detail();

    $is_admin        = $is_form_editor || $is_entry_detail;

----------------------------------------------------------------------------

    $type = RGFormsModel::get_input_type( $field );

    switch ( $type ) {

----------------------------------------------------------------------------

        default :



            if ( ! empty( $post_link ) ) {

                return $post_link;

            }



            if ( $form === null ) {

                $form = array( 'id' => 0 );

            }



            if ( ! isset( $lead ) ) {

                $lead = null;

            }



            return $field->get_field_input( $form, $value, $lead );



            break;



    }

In the grand scheme of things, the repercussions of the CVE-2023-28782 vulnerability are significantly limited, given the lack of a significant POP chain within the vulnerable plugin at the time of this revelation. However, the danger escalates when an additional plugin or theme introduces a POP chain on the WordPress site. This precarious setup potentially arms an attacker with the ability to delete arbitrary files, procure sensitive data, or execute code, depending on the available POP chain.

Fortunately, swift action has been taken to mitigate this potentially disastrous vulnerability. In Gravity Forms version 2.7.4, this issue has been addressed and rectified, providing a sigh of relief for its users.