Miggo Logo
Miggo Vulnerability Database
CVE-2020-27850

CVE-2020-27850: Gravity Forms stored Cross-Site Scripting (XSS) vulnerability

4.8

CVSS Score
3.1

Basic Information

CVE ID
CVE-2020-27850
GHSA ID
GHSA-wmh7-782f-xfw5
EPSS Score
0.48052%
CWE
CWE-79
Published
5/24/2022
Updated
4/24/2024
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
wp-premium/gravityformscomposer>= 2.4, < 2.4.212.4.21

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability exists in the form import functionality where user-supplied form data is processed. The GFExport::import_file function is the logical entry point for form imports in Gravity Forms. The stored XSS vulnerability implies that: 1) Imported form content wasn't properly sanitized before storage, and 2) Admin/Editor interfaces later render this unsanitized content. While exact code isn't available, Gravity Forms' architecture places import handling in the GFExport class, and the vulnerability pattern matches insufficient input sanitization during XML/JSON form data processing before database persistence.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* stor** *ross-Sit* S*riptin* (XSS) vuln*r**ility in *orms import ***tur* in Ro*k*t**nius *r*vity *orms ***or* *.*.** *llows r*mot* *tt**k*rs to inj**t *r*itr*ry w** s*ript or *TML vi* t** import o* * ** *orm. T*is *o** is int*rpr*t** *y us*rs in * p

Reasoning

T** vuln*r**ility *xists in t** *orm import *un*tion*lity w**r* us*r-suppli** *orm **t* is pro**ss**. T** `***xport::import_*il*` *un*tion is t** lo*i**l *ntry point *or *orm imports in *r*vity *orms. T** stor** XSS vuln*r**ility impli*s t**t: *) Imp