https://bit.ly/3C0YohM - π A security vulnerability was detected in the widely-used Gravity Forms WordPress plugin (versions 2.7.3 and below), which boasts nearly 1 million active installations. This custom form plugin lets users easily integrate contact forms, quizzes, and surveys onto their websites. #WordPress #GravityForms #WebSecurity π The vulnerability at hand is an unauthenticated PHP Object Injection. It occurs when user input isn't properly sanitized before being fed to the 'maybe_unserialize' function, a PHP unserialize function wrapper. An unauthenticated user could exploit this flaw by submitting serialized strings to the vulnerable unserialize call, leading to the injection of arbitrary PHP objects into the application's scope. #PHPObjectInjection #CyberSecurity π¨βπ» The flawed code resides in the 'get_field_input' function and could be activated through a default installation or configuration of the Gravity Forms plugin, requiring only a form that includes a list field. While the impact of this issue is currently deemed limited due to the absence of a significant POP chain within the vulnerable plugin, additional plugins or themes could potentially expand the vulnerability. #Coding #CyberThreat π‘οΈ The issue was addressed with the release of Gravity Forms plugin version 2.7.4, which replaced the unsafe 'maybe_unserialize' function. Developers generally caution against using this method for processing data, suggesting JSON for handling more complex data structures instead. #Patch #TechUpdate #SecureCoding β³ The vulnerability was first discovered on March 27, 2023, with the patched plugin version released on April 11. The vulnerabilities were added to the Patchstack vulnerability database on May 29, with the article detailing the flaw published a day later. #Timeline #CyberSecurityNews Please ensure your Gravity Forms plugin is updated to at least version 2.7.4. Stay vigilant!