- Vulnerability: CVE-2024-0710 (Unauthenticated Form Submission Unique ID Modification)
- CVSS: 5.3 (Medium)
- Software: GP Unique ID (gp-unique-id)
- Affected versions: <= 1.5.5
- Patched version: 1.5.6
- Developer: Gravity Wiz
- Researcher: Karl Emil Nikka, Nikka Systems
- Publicly published: 2024-04-10
- Last updated: 2024-04-18
An unauthenticated form submitter can choose a custom value for a field that is supposed to always have a random or sequential value. This vulnerability only affects sites where the value must be either random or sequential for legal, functional or security reasons.
GP Unique ID is an addon for Gravity Forms. It assigns unique IDs to entries after successful submission. In contrast to the entries’ actual database IDs, the GP Unique IDs, hereafter called GPUIDs, can be customized by the form creator to follow a specific syntax with defined starting number, character set, length, prefix, and suffix. The GPUID is stored in a custom Gravity Forms entry field. The field is hidden on the frontend.
The plugin developer lists the following common use cases for GP Unique ID.
- Provide a set-length confirmation or reference number for each entry.
- Maintain a sequential invoice number.
- Generate a unique coupon code that can be used on subsequent form submissions.
- Generate a unique number for use in raffles.
GP Unique ID assigns the GPUID after the form has been successfully submitted, but only as long as there isn’t a value in the field already. This allows a form submitter to set a custom GPUID when submitting the form. Since the field isn’t empty, no real GPUID gets stored. A visitor can therefore
- set a GPUID that doesn’t follow the syntax
- set GPUID that isn’t sequential
- set a GPUID that isn’t random
- set a GPUID that already is assigned to another entry.
Gravity Wiz released a patched version of the plugin on 2024-04-09. Site administrators should update to the patched version (1.5.6) and, if relevant, make sure the previous submissions haven’t been tampered with.
- 2024-01-13 I reported the vulnerability to Gravity Wiz (according to Project Zero’s 90-day responsible disclosure policy).
- 2024-01-13 I submitted the vulnerability to Wordfence’s CNA. I declined participating in their bug-bounty program.
- 2024-01-15 Gravity Wiz confirmed they had received the report.
- 2024-01-16 Gravity Wiz acknowledged the vulnerability and told me they would release a patch for it.
- 2024-01-19 Wordfence assigned the vulnerability CVE ID CVE-2024-0710.
- 2024-02-29 I sent a 45-day reminder to Gravity Wiz.
- 2024-04-01 I sent a reminder that the 90-day responsible disclosure window would end in two weeks.
- 2024-04-07 Gravity Wiz sent me a pre-release version of the patched plugin.
- 2024-04-09 Gravity Wiz released the patched plugin, 87 days after initial report (within the 90-day responsible disclosure window).