CVE-2020-13764

The CVE-2020-13764 entry documents an information-disclosure vulnerability in the WordPress Gravity Forms plugin prior to version 2.4.9. The issue arises because common.php exposes hashed passwords by not treating user_pass as a special case for $current_user->get($property), allowing potentia...

CVE-2020-27850

Gravity Forms (Rocketgenius) stored XSS via the forms import feature, affecting versions prior to 2.4.21. The vulnerability allows an attacker to inject arbitrary script/HTML that is then interpreted by users with privileged roles (Administrator, Editor, etc.). Root cause is improper handling of ...

CVE-2020-27851

CVE-2020-27851 concerns a vulnerability in a paid add-on for Gravity Forms (before 2.4.21) where stored HTML injection can be triggered through poll or quiz answers. The issue allows remote attackers to inject arbitrary HTML code, which would be interpreted by users with privileged roles (Adminis...

CVE-2020-27852

The CVE-2020-27852 entry concerns Gravity Forms, a WordPress plugin, with a stored XSS in the survey feature exploitable via a textarea field before version 2.4.21. Affected: Gravity Forms (plugin) prior to 2.4.21. Root cause: unescaped/incorrect handling of textarea input in the survey feature t...