Findings
Big warning: This plugin is vulnerable to arbitrary code execution if files are permitted to be uploaded by end users and no configuration prevents the execution of PHP in uploaded files. You should not use this plugin (or, arguably, any other one) to allow files to be uploaded by untrusted users.
The plugin is very large at over 17k SLOC, so this inspection will not be able to find many potential issues.
- Several uses of create_function() where the second argument is constructed with variables
- Two invocations of eval()
- No unescaped SQL was found
If a form is added with file upload:
- When files are uploaded by end-users they are stored in a directory which is unique to the form
- That directory’s name is the form ID (easily guessable), ‘-‘ (even easier to guess), followed by a wp_hash() of the form ID (using the AUTH_KEY)
- So long as salts are set correctly, that value should not be knowable, unless leaked by a malicious html or php4 file that is uploaded and clicked on by an admin.
- Admins should take care not to reveal the URLs of content uploaded via Gravity Forms as an attacker could use that information in combination with an local file inclusion vulnerability to run arbitrary code on the server
- Files with the extension php4 can be uploaded by non-privileged users. If the admin clicked on this uploaded file, arbitrary code could be run.
Reason for the 'Use with caution' result
The plugin contains or is likely to contain a vulnerability which could be exploited by a privileged user to affect the site’s confidentiality, integrity or availability in a manner exceeding their privileges:
Use of eval() and create_function() where PHP code is constructed from variables is almost never safe. Vulnerable to LFI if an upload path were exposed.