Security Vulnerability Advisory ------------------------------- CVE: CVE-2020-27851 Publication Date: 2021.01.15 Revision: 1.3 Link: https://digital.security/advisories/cert-ds_advisory_CVE-2020-27851.txt Title ----- Multiple stored HTML injection vulnerabilities in the "poll" and "quiz" features in an additional paid add-on of Rocketgenius Gravity Forms before 2.4.21 allows remote attackers to inject arbitrary HTML code via poll or quiz answers. This code is interpreted by users in a privileged role (Administrator, Editor, etc.). Overview -------- An additional paid add-on of Gravity Forms 2.4.20 has a multiple stored HTML injection vulnerabilities in the "poll" and "quiz" features. An authenticated user who can reply to a poll or a quiz can inject malicious HTML code (not JavaScript, not an XSS) in the answer. The HTML code in the answer is then interpreted on the results page. Affected Products ----------------- - Additional paid add-on of Gravity Forms 2.4.20 Details ------- A feature of the Gravity Forms plugin v2.4.20 allows users to reply to a poll or a quiz. The Gravity Forms plugin doesn't correctly sanitize the user inputs, allowing the user to inject HTML code (example : links, h1...) in the responses. Then, when a privileged user accesses the result page (https://xxxx/wp-admin/admin.php?page=gf_entries&id=1), the HTML code is interpreted. Then, the HTML can be executed when a privileged user browses the form preview page (https://xxxx/content?gf_page=preview&id=1). The presence of an HTML injection allows HTML code to be executed in users' browsers and potentially steal user credentials by trapping the victim. An attacker can insert HTML links that appear legitimate in the dashboard, these links can for example lead to a fake authentication page. "Stored" (or so-called persistent) HTML injection vulnerabilities are all the more dangerous as they are permanent and can affect several different users at different points in time. CVSSv3 Overall Score: 5,4 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N Solution -------- This vulnerability has been fixed in Gravity Forms 2.4.21, we recommend updating Gravity Forms. Credits ------- This vulnerability was discovered by Vincent Rakotomanga from CERT digital.security. Revision History ---------------- Revision 1.0: 2020.09.22 / First draft of security advisory Revision 1.1: 2020.09.24 / In the title of the draft, replace 'in the survey feature' by 'in the "poll" and "quiz" features' Revision 1.2: 2020.10.08 / Update CVSS and remove the mention "JavaScript injection" Revision 1.3: 2021.01.15 / Removal of vulnerability exploitation details, update solution with fixed version, update title Timeline -------- 2020.09.09 - Discovery of the vulnerability 2020.09.22 - Vulnerability is reported to the Gravity Forms Team 2020.10.14 - Gravity Forms 2.4.21 released with vulnerabilities fixes References ---------- https://docs.gravityforms.com/gravityforms-change-log/