Gravity Forms
Monthly
Arbitrary file disclosure in the Gravity Forms WordPress plugin (all versions through 2.10.4) lets unauthenticated attackers read sensitive files from the web server by abusing the 'gform_uploaded_files' parameter against the process_send_resume_link endpoint. Reported by Wordfence, the flaw carries CVSS 7.5 and is exfiltrated by directing the traversal-retrieved file to an attacker-controlled email as a form notification attachment. No public exploit identified at time of analysis, and it is not listed in CISA KEV.
Deserialization of Untrusted Data vulnerability in Rocketgenius Inc. Rated high severity (CVSS 8.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
The Gravity Forms WordPress plugin before 2.7.5 does not escape generated URLs before outputting them in attributes, leading to Reflected Cross-Site Scripting which could be used against. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
The Clockwork SMS clockwork-test-message.php component has XSS via a crafted "to" parameter in a clockwork-test-message request to wp-admin/admin.php. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
Arbitrary file disclosure in the Gravity Forms WordPress plugin (all versions through 2.10.4) lets unauthenticated attackers read sensitive files from the web server by abusing the 'gform_uploaded_files' parameter against the process_send_resume_link endpoint. Reported by Wordfence, the flaw carries CVSS 7.5 and is exfiltrated by directing the traversal-retrieved file to an attacker-controlled email as a form notification attachment. No public exploit identified at time of analysis, and it is not listed in CISA KEV.
Deserialization of Untrusted Data vulnerability in Rocketgenius Inc. Rated high severity (CVSS 8.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
The Gravity Forms WordPress plugin before 2.7.5 does not escape generated URLs before outputting them in attributes, leading to Reflected Cross-Site Scripting which could be used against. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
The Clockwork SMS clockwork-test-message.php component has XSS via a crafted "to" parameter in a clockwork-test-message request to wp-admin/admin.php. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.