• Call Us: (540) 566-8737
    • Account Login (AMP)
    Menu
    GravityForms 2.9.0.1 – 2.9.1.3 – Unauthenticated Stored Cross-Site Scripting via ‘style_settings’ parameter

    GravityForms 2.9.0.1 – 2.9.1.3 – Unauthenticated Stored Cross-Site Scripting via ‘style_settings’ parameter

    Tweet
    Share
    Share
    Pin
    0 Shares

    EntreBase Advisory: The Gravity Forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘style_settings’ parameter in versions 2.9.0.1 up to, and including, 2.9.1.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The attack is only successful in the Chrome web browser, and requires directly browsing the media file via the attachment post.

    Read more about this vulnerability: https://www.wordfence.com/threat-intel/vulnerabilities/id/f884ea43-e1a5-4b44-8a24-f68f71b0fcfb?source=api-prod

    About the Contributor
    Trust & Safety
    The Trust & Safety team ensures the EntreBase platform remains compliant, safe, and user-friendly. Focused on risk management and user protection, they work to uphold trust and provide a seamless experience.