Plugin inspection:

Gravity Forms

Use with caution

Last revised:

Confidence: Medium
This plugin has been given a short, targeted code review.

Before using this plugin, you should carefully consider these findings. Read more about this recommendation.

Findings

  • At over 26,000 lines of PHP this is a very large plugin, which makes it difficult to thoroughly assess
  • Uses eval() in php code (the value to be eval’d only contains whitelisted characters but it is unknown if this is secure enough)
  • Uses create_function() on values which may or may not be integers
  • Uses eval() in JavaScript
  • Doesn’t escape SQL properly
  • Allows users authorised to use the API to insert arbitrary SQL, since arguments are escaped with esc_sql() which does not prevent SQL injection (it only escapes SQL strings – not e.g. integers, which can also be used to escape out of SQL statements)

Reason for the 'Use with caution' result

The plugin contains or is likely to contain a vulnerability which could be exploited by a privileged user to affect the site’s confidentiality, integrity or availability in a manner exceeding their privileges:

  • Uses PHP’s eval() which could lead to arbitrary code execution.
  • Allows admin users to enter arbitrary SQL in update statements

Failure criteria

  • Execution of unprepared SQL statements
  • Unsafe generation of PHP code
  • Very large codebase

Read more about our failure criteria.