Miggo Logo

CVE-2020-27852: Gravity Forms stored Cross-Site Scripting (XSS) vulnerability in the survey feature

5.4

CVSS Score
3.1

Basic Information

EPSS Score
0.44441%
Published
5/24/2022
Updated
4/24/2024
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
wp-premium/gravityformscomposer>= 2.4, < 2.4.212.4.21

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The provided information describes a stored XSS vulnerability in Gravity Forms' survey textarea field handling, but does not include specific code examples, commit diffs, or technical implementation details showing how user input was processed. While the vulnerability clearly exists in survey feature input handling, the lack of concrete evidence about: 1) Which specific functions handle textarea input sanitization 2) Which output rendering functions lack proper escaping 3) Architectural details about Gravity Forms' survey module implementation makes it impossible to identify exact vulnerable functions with high confidence. The advisory suggests the vulnerability exists in processing textarea fields, but without seeing the pre-patch code or patch changes, we cannot definitively name specific functions.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* stor** *ross-Sit* S*riptin* (XSS) vuln*r**ility in t** surv*y ***tur* in Ro*k*t**nius *r*vity *orms ***or* *.*.** *llows r*mot* *tt**k*rs to inj**t *r*itr*ry w** s*ript or *TML vi* * t*xt*r** *i*l*. T*is *o** is int*rpr*t** *y us*rs in * privil****

Reasoning

T** provi*** in*orm*tion **s*ri**s * stor** XSS vuln*r**ility in *r*vity *orms' surv*y t*xt*r** *i*l* **n*lin*, *ut *o*s not in*lu** sp**i*i* *o** *x*mpl*s, *ommit *i**s, or t***ni**l impl*m*nt*tion **t*ils s*owin* *ow us*r input w*s pro**ss**. W*il*