Miggo Logo
Miggo Vulnerability Database
CVE-2020-27852

CVE-2020-27852: Gravity Forms stored Cross-Site Scripting (XSS) vulnerability in the survey feature

5.4

CVSS Score
3.1

Basic Information

CVE ID
CVE-2020-27852
GHSA ID
GHSA-pjv5-v9gv-3679
EPSS Score
0.44441%
CWE
CWE-79
Published
5/24/2022
Updated
4/24/2024
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
wp-premium/gravityformscomposer>= 2.4, < 2.4.212.4.21

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The provided information describes a stored XSS vulnerability in Gravity Forms' survey textarea field handling, but does not include specific code examples, commit diffs, or technical implementation details showing how user input was processed. While the vulnerability clearly exists in survey feature input handling, the lack of concrete evidence about: 1) Which specific functions handle textarea input sanitization 2) Which output rendering functions lack proper escaping 3) Architectural details about Gravity Forms' survey module implementation makes it impossible to identify exact vulnerable functions with high confidence. The advisory suggests the vulnerability exists in processing textarea fields, but without seeing the pre-patch code or patch changes, we cannot definitively name specific functions.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* stor** *ross-Sit* S*riptin* (XSS) vuln*r**ility in t** surv*y ***tur* in Ro*k*t**nius *r*vity *orms ***or* *.*.** *llows r*mot* *tt**k*rs to inj**t *r*itr*ry w** s*ript or *TML vi* * t*xt*r** *i*l*. T*is *o** is int*rpr*t** *y us*rs in * privil****

Reasoning

T** provi*** in*orm*tion **s*ri**s * stor** XSS vuln*r**ility in *r*vity *orms' surv*y t*xt*r** *i*l* **n*lin*, *ut *o*s not in*lu** sp**i*i* *o** *x*mpl*s, *ommit *i**s, or t***ni**l impl*m*nt*tion **t*ils s*owin* *ow us*r input w*s pro**ss**. W*il*