CVE-2024-13378
📋 TL;DR
The Gravity Forms WordPress plugin has a stored XSS vulnerability that allows unauthenticated attackers to inject malicious scripts via the 'style_settings' parameter. When users view compromised pages in Chrome browsers, the scripts execute automatically. This affects WordPress sites running Gravity Forms versions 2.9.0.1 through 2.9.1.3.
💻 Affected Systems
- Gravity Forms WordPress Plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal admin session cookies, redirect users to malicious sites, or perform actions on behalf of authenticated users, potentially leading to site takeover.
Likely Case
Attackers inject malicious scripts that steal user session data or credentials when users view compromised pages in Chrome.
If Mitigated
With proper input validation and output escaping, the attack fails and no script execution occurs.
🎯 Exploit Status
Attack requires Chrome browser and specific media file access path.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.9.1.4
Vendor Advisory: https://docs.gravityforms.com/gravityforms-change-log/
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find Gravity Forms and click 'Update Now'. 4. Verify version is 2.9.1.4 or higher.
🔧 Temporary Workarounds
Disable Chrome Access
allBlock Chrome browsers from accessing media attachment pages via web server configuration.
# Add to .htaccess for Apache:
RewriteEngine On
RewriteCond %{HTTP_USER_AGENT} Chrome [NC]
RewriteRule ^wp-content/uploads/.*\.(jpg|jpeg|png|gif)$ - [F,L]
# Add to nginx config:
if ($http_user_agent ~* Chrome) {
location ~ ^/wp-content/uploads/.*\.(jpg|jpeg|png|gif)$ {
return 403;
}
}
🧯 If You Can't Patch
- Temporarily disable Gravity Forms plugin until patched.
- Implement Content Security Policy (CSP) headers to restrict script execution.
🔍 How to Verify
Check if Vulnerable:
Check Gravity Forms version in WordPress admin panel under Plugins > Installed Plugins.Check Version:
wp plugin list --name=gravityforms --field=versionVerify Fix Applied:
Confirm Gravity Forms version is 2.9.1.4 or higher in WordPress admin.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to Gravity Forms endpoints with style_settings parameter containing script tags.
- Multiple Chrome user agents accessing media attachment pages with suspicious parameters.
Network Indicators:
- HTTP requests containing 'style_settings' parameter with JavaScript payloads.
- Chrome browser requests to media attachment URLs with encoded script content.
SIEM Query:
source="web_logs" AND (uri_path="*wp-content/uploads*" AND user_agent="*Chrome*" AND query_string="*style_settings=*script*" OR query_string="*style_settings=*javascript:*")