CVE-2024-13845
📋 TL;DR
The Gravity Forms WebHooks plugin for WordPress has a Server-Side Request Forgery vulnerability that allows authenticated administrators to make arbitrary web requests from the server. This could enable attackers with admin access to query internal services or interact with external systems. Only WordPress sites using vulnerable versions of this specific plugin are affected.
💻 Affected Systems
- Gravity Forms WebHooks WordPress Plugin
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Administrator-level attacker could use the vulnerable server to scan internal networks, access internal services, or interact with external systems while appearing to originate from the legitimate WordPress server.
Likely Case
Compromised administrator account could be used to make requests to internal services or external APIs, potentially exposing sensitive data or performing unauthorized actions.
If Mitigated
With proper access controls and network segmentation, impact is limited to what the web server can reach, but still represents a privilege escalation risk.
🎯 Exploit Status
Exploitation requires administrator-level WordPress access. The vulnerability is in the 'process_feed' method which can be triggered through normal plugin functionality.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.7.0
Vendor Advisory: https://www.gravityforms.com/blog/brand-new-release-webhooks-add-on-1-7/
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Gravity Forms WebHooks' and click 'Update Now'. 4. Alternatively, download version 1.7.0+ from Gravity Forms website and manually update.
🔧 Temporary Workarounds
Disable WebHooks Plugin
allTemporarily deactivate the vulnerable plugin until patching is possible
wp plugin deactivate gravityformswebhooks
Restrict Administrator Access
allLimit administrator accounts to only trusted users and implement strong authentication
🧯 If You Can't Patch
- Implement network segmentation to restrict web server's ability to reach internal services
- Monitor administrator account activity and implement strict access controls
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel → Plugins → Gravity Forms WebHooks → Version. If version is 1.6.0 or lower, you are vulnerable.Check Version:
wp plugin get gravityformswebhooks --field=versionVerify Fix Applied:
After updating, verify the plugin version shows 1.7.0 or higher in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- Unusual outbound HTTP requests from web server to internal IP ranges
- Multiple webhook requests to unexpected domains from administrator accounts
Network Indicators:
- Web server making requests to internal services not typically accessed
- Outbound requests to unusual external domains from web server IP
SIEM Query:
source="wordpress.log" AND ("process_feed" OR "webhook" OR "GF_Webhooks") AND (admin_user OR administrator)