---
licence_title: Creative Commons Attribution 4.0 International (CC-BY 4.0)
licence_link: https://creativecommons.org/licenses/by/4.0/
licence_restrictions: https://cert.europa.eu/legal-notice
licence_author: CERT-EU, The Cybersecurity Service for the European Union institutions, bodies, offices and agencies
title: 'Vulnerability in Wordpress Gravity Forms Plugin'
version: '1.0'
number: '2023-032'
original_date: 'May 30, 2023'
date: 'May 31, 2023'
---
_History:_
* _31/05/2023 --- v1.0 -- Initial publication_
# Summary
On May 30, 2023, an unauthenticated PHP Object Injection vulnerability has been discovered in the Wordpress' Gravity Forms plugin. This vulnerability, identified as CVE-2023-28782 (CVSS score of 8.3), may allow an unauthenticated user to pass ad-hoc serialised strings to a vulnerable `unserialize` call, resulting in an arbitrary PHP object(s) injection into the application scope [1].
This vulnerability could be triggered in a default installation of the Gravity Forms plugin and only needs a form that contains a list field.
# Technical Details
The Gravity Forms plugin vulnerability occurs when user-supplied input is not properly sanitised before being passed to the `maybe_unserialize` function which is a wrapper for PHP `unserialize` function.
The vulnerability is found within the `get_field_input` function in the file:
```
includes/fields/class-gf-field-list.php
```
which handles the input field processing of a list field on Gravity Forms. There is also a legacy `get_legacy_field_input` function which has identical code that is also vulnerable.
The input value comes from the `$value` variable, since there is no proper check or sanitisation on the variable and the `$value` variable is directly passed to the `maybe_unserialize` function, any unauthenticated user is able to trigger PHP object injection by submitting to a list field on the form created from the Gravity Forms plugin.
The `get_field_input` function from the list field could be called from the `get_field_input` function located in `common.php` which would then act as an initial handler of input and would forward the process to each field function handler.
# Affected Products
The affected product is:
- Gravity Forms plugin version 2.7.3 and below.
# Recommendations
To mitigate this vulnerability, users should update the respective plugins to at least version 2.7.4.
# References
[1]
[2]