CVSS: 9.8EPSS: %CPEs: 1EXPL: 0CVE-2025-48330 – Real Time Validation for Gravity Forms <= 1.7.0 - Unauthenticated Local File Inclusion
https://notcve.org/view.php?id=CVE-2025-48330
30 May 2025 — The Real Time Validation for Gravity Forms plugin for WordPress is vulnerable to Local File Inclusion in versions up to, and including, 1.7.0. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included. • CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2025-48329 – WordPress Real Time Validation for Gravity Forms plugin <= 1.7.0 - Reflected Cross Site Scripting (XSS) vulnerability
https://notcve.org/view.php?id=CVE-2025-48329
30 May 2025 — Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Daman Jeet Real Time Validation for Gravity Forms allows Reflected XSS.This issue affects Real Time Validation for Gravity Forms: from n/a through 1.7.0. The Real Time Validation for Gravity Forms plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in versions up to, and including, 1.7.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated a... • https://patchstack.com/database/wordpress/plugin/real-time-validation-for-gravity-forms/vulnerability/wordpress-real-time-validation-for-gravity-forms-plugin-1-7-0-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-48328 – WordPress Real Time Validation for Gravity Forms plugin <= 1.7.0 - Cross Site Request Forgery (CSRF) to Settings Change vulnerability
https://notcve.org/view.php?id=CVE-2025-48328
30 May 2025 — Cross-Site Request Forgery (CSRF) vulnerability in Daman Jeet Real Time Validation for Gravity Forms allows Cross Site Request Forgery.This issue affects Real Time Validation for Gravity Forms: from n/a through 1.7.0. The Real Time Validation for Gravity Forms plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.7.0. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to perform an unauth... • https://patchstack.com/database/wordpress/plugin/real-time-validation-for-gravity-forms/vulnerability/wordpress-real-time-validation-for-gravity-forms-plugin-1-7-0-cross-site-request-forgery-csrf-to-settings-change-vulnerability?_s_id=cve • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-13845 – Gravity Forms WebHooks <= 1.6.0 - Authenticated (Admin+) Server-Side Request Forgery via Webhook
https://notcve.org/view.php?id=CVE-2024-13845
30 Apr 2025 — The Gravity Forms WebHooks plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.6.0 via the 'process_feed' method of the GF_Webhooks class This makes it possible for authenticated attackers, with Administrator-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services. • https://www.gravityforms.com/blog/brand-new-release-webhooks-add-on-1-7 • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 5.9EPSS: 0%CPEs: 1EXPL: 0CVE-2025-39428 – WordPress Gravity Forms CSS Themes with Fontawesome and Placeholders plugin <= 8.5 - Cross Site Scripting (XSS) vulnerability
https://notcve.org/view.php?id=CVE-2025-39428
17 Apr 2025 — Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Maros Pristas Gravity Forms CSS Themes with Fontawesome and Placeholders allows Stored XSS. This issue affects Gravity Forms CSS Themes with Fontawesome and Placeholders: from n/a through 8.5. The Gravity Forms CSS Themes with Fontawesome and Placeholders plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 8.5 due to insufficient input sanitization and output ... • https://patchstack.com/database/wordpress/plugin/gravity-forms-css-themes-with-fontawesome-and-placeholder-support/vulnerability/wordpress-gravity-forms-css-themes-with-fontawesome-and-placeholders-plugin-8-5-cross-site-scripting-xss-vulnerability?_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 0CVE-2024-13377 – GravityForms <= 2.9.1.3 - Unauthenticated Stored Cross-Site Scripting via 'alt' parameter
https://notcve.org/view.php?id=CVE-2024-13377
16 Jan 2025 — The Gravity Forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘alt’ parameter in all versions up to, and including, 2.9.1.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. El complemento Gravity Forms para WordPress es vulnerable a Cross-Site Scripting almacenado a través del parámetro "alt" en todas las versiones... • https://docs.gravityforms.com/gravityforms-change-log • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-13378 – GravityForms 2.9.0.1 - 2.9.1.3 - Unauthenticated Stored Cross-Site Scripting via 'style_settings' parameter
https://notcve.org/view.php?id=CVE-2024-13378
16 Jan 2025 — The Gravity Forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘style_settings’ parameter in versions 2.9.0.1 up to, and including, 2.9.1.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The attack is only successful in the Chrome web browser, and requires directly browsing the media file via the attachment post. ... • https://docs.gravityforms.com/gravityforms-change-log • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2025-24545 – WordPress BSK Forms Validation plugin <= 1.7 - Reflected Cross Site Scripting (XSS) vulnerability
https://notcve.org/view.php?id=CVE-2025-24545
20 Nov 2024 — Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in BannerSky.com BSK Forms Validation allows Reflected XSS. This issue affects BSK Forms Validation: from n/a through 1.7. The BSK Forms Validation plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in all versions up to, and including, 1.7 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages ... • https://patchstack.com/database/wordpress/plugin/bsk-gravity-forms-custom-validation/vulnerability/wordpress-bsk-forms-validation-plugin-1-7-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 3EXPL: 1CVE-2022-3154 – Multiple Plugins from Viszt Peter - Multiple CSRF
https://notcve.org/view.php?id=CVE-2022-3154
14 Sep 2022 — The Woo Billingo Plus WordPress plugin before 4.4.5.4, Integration for Billingo & Gravity Forms WordPress plugin before 1.0.4, Integration for Szamlazz.hu & Gravity Forms WordPress plugin before 1.2.7 are lacking CSRF checks in various AJAX actions, which could allow attackers to make logged in Shop Managers and above perform unwanted actions, such as deactivate the plugin's license El plugin Woo Billingo Plus de WordPress versiones anteriores a 4.4.5.4, el plugin Integration for Billingo & Gravity Form... • https://wpscan.com/vulnerability/cda978b2-b31f-495d-8601-0aaa3e4b45cd • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 9.8EPSS: 80%CPEs: 1EXPL: 4CVE-2015-4455 – Aviary Image Editor Add-on For Gravity Forms <= 3.0 (Beta r7) - Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2015-4455
09 Jun 2015 — Unrestricted file upload vulnerability in includes/upload.php in the Aviary Image Editor Add-on For Gravity Forms plugin 3.0 beta for WordPress allows remote attackers to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in wp-content/uploads/gform_aviary. Aviary Image Editor Add-on para Forms Gravity plugin 3.0 beta para WordPress presenta una vulnerabilidad de carga de archivos sin restricciones en includes/upload.php que permite a ... • https://packetstorm.news/files/id/132256 • CWE-434: Unrestricted Upload of File with Dangerous Type •