CVE-2024-13377: GravityForms <= 2.9.1.3 - Unauthenticated Stored Cross-Site Scripting via 'alt' parameter
First published: Fri Jan 17 2025(Updated: )
The Gravity Forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘alt’ parameter in all versions up to, and including, 2.9.1.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Credit: security@wordfence.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Gravity Forms | <=2.9.1.3 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of CVE-2024-13377?
CVE-2024-13377 is considered a high severity vulnerability due to its potential for stored cross-site scripting attacks.
How do I fix CVE-2024-13377?
To fix CVE-2024-13377, update the Gravity Forms plugin to version 2.9.1.4 or later.
What types of attacks are possible with CVE-2024-13377?
CVE-2024-13377 allows unauthenticated attackers to inject malicious scripts through the 'alt' parameter.
Which versions of Gravity Forms are affected by CVE-2024-13377?
All versions of Gravity Forms up to and including 2.9.1.3 are affected by CVE-2024-13377.
Has CVE-2024-13377 been disclosed publicly?
Yes, CVE-2024-13377 has been publicly disclosed and is documented for awareness and remediation.
- agent/weakness
- agent/title
- agent/references
- agent/description
- agent/type
- agent/first-publish-date
- collector/nvd-api
- source/NVD
- agent/severity
- agent/author
- agent/event
- agent/source
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/softwarecombine
- agent/tags
- agent/guess-ai
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- vendor/gravity forms
- canonical/gravity forms