Plugin inspection:

Gravity Forms

Use with caution

Last revised:

Confidence: Medium
This plugin has been given a short, targeted code review.

Before using this plugin, you should carefully consider these findings. Read more about this recommendation.


This recommendation applies to version 1.7.11 of this plugin, but the most recent version is 1.8.13. These findings may no longer be correct.

View the recommendation for version 1.8.13 of this plugin instead


Big warning: This plugin is vulnerable to arbitrary code execution if files are permitted to be uploaded by end users and no configuration prevents the execution of PHP in uploaded files. You should not use this plugin (or, arguably, any other one) to allow files to be uploaded by untrusted users.

The plugin is very large at over 17k SLOC, so this inspection will not be able to find many potential issues.

  • Several uses of create_function() where the second argument is constructed with variables
  • Two invocations of eval()
  • No unescaped SQL was found

If a form is added with file upload:

  • When files are uploaded by end-users they are stored in a directory which is unique to the form
  • That directory’s name is the form ID (easily guessable), ‘-‘ (even easier to guess), followed by a wp_hash() of the form ID (using the AUTH_KEY)
  • So long as salts are set correctly, that value should not be knowable, unless leaked by a malicious html or php4 file that is uploaded and clicked on by an admin.
  • Admins should take care not to reveal the URLs of content uploaded via Gravity Forms as an attacker could use that information in combination with an local file inclusion vulnerability to run arbitrary code on the server
  • Files with the extension php4 can be uploaded by non-privileged users. If the admin clicked on this uploaded file, arbitrary code could be run.

Reason for the 'Use with caution' result

The plugin contains or is likely to contain a vulnerability which could be exploited by a privileged user to affect the site’s confidentiality, integrity or availability in a manner exceeding their privileges:

Use of eval() and create_function() where PHP code is constructed from variables is almost never safe. Vulnerable to LFI if an upload path were exposed.

Failure criteria

  • Unsafe generation of PHP code
  • Unsafe file or network IO

Read more about our failure criteria.