CVE-2020-13764 – This vulnerability in the Gravity Forms WordPre... (How to Fix)

📋 TL;DR

This vulnerability in the Gravity Forms WordPress plugin allows attackers to retrieve hashed user passwords through improper access control. It affects WordPress sites using Gravity Forms versions before 2.4.9. The issue occurs because user_pass fields aren't properly restricted in certain API calls.

💻 Affected Systems

Products:

Gravity Forms WordPress Plugin

Versions: All versions before 2.4.9

Operating Systems: All platforms running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Affects all WordPress installations with Gravity Forms plugin installed and active.

📦 What is this software?

Gravityforms by Rocketgenius

View all CVEs affecting Gravityforms →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers obtain password hashes for all users, potentially enabling offline cracking and account takeover across the WordPress site.

🟠

Likely Case

Unauthorized access to password hashes for Gravity Forms users, potentially leading to targeted account compromise if weak passwords are used.

🟢

If Mitigated

Limited exposure if strong password hashing is used and monitoring detects unusual access patterns.

🌐 Internet-Facing: HIGH - WordPress sites are typically internet-facing, and the vulnerability can be exploited remotely.

🏢 Internal Only: MEDIUM - Internal systems using vulnerable versions remain at risk from insider threats or compromised internal accounts.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires some level of access to Gravity Forms functionality, but detailed technical information is publicly available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.4.9 and later

Vendor Advisory: https://docs.gravityforms.com/gravityforms-change-log/

Restart Required: No

Instructions:

1. Log into WordPress admin panel
2. Navigate to Plugins → Installed Plugins
3. Find Gravity Forms
4. Click 'Update Now' if available
5. Alternatively, download version 2.4.9+ from Gravity Forms website
6. Upload and replace via WordPress plugin uploader

🔧 Temporary Workarounds

Disable Gravity Forms

all

Temporarily disable the Gravity Forms plugin until patching is possible

wp plugin deactivate gravityforms

🧯 If You Can't Patch

Implement strict access controls and monitor for unusual API calls to Gravity Forms endpoints
Enable strong password policies and consider forcing password resets for all users

🔍 How to Verify

Check if Vulnerable:

Check Gravity Forms version in WordPress admin under Plugins → Installed Plugins

Check Version:

wp plugin get gravityforms --field=version

Verify Fix Applied:

Confirm version is 2.4.9 or higher in plugin details

📡 Detection & Monitoring

Log Indicators:

Unusual GET/POST requests to Gravity Forms API endpoints, particularly accessing user properties

Network Indicators:

Suspicious API calls to /wp-json/gf/v2/ or similar Gravity Forms endpoints

SIEM Query:

source="wordpress" AND (uri_path="*gf*" OR uri_path="*gravity*" OR user_agent="*gravityforms*") AND status=200

📊 Metadata

CVE ID: CVE-2020-13764

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-200

Published: June 2, 2020

Last Updated: November 21, 2024

🔗 References

https://docs.gravityforms.com/gravityforms-change-log/ Vendor Advisory
https://github.com/wp-premium/gravityforms/compare/2.4.8...2.4.9 Third Party Advisory
https://docs.gravityforms.com/gravityforms-change-log/ Vendor Advisory
https://github.com/wp-premium/gravityforms/compare/2.4.8...2.4.9 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-13764, you might also want to check these: