Tadokun

**Name of the Vulnerable Software and Affected Versions** Gravity Forms versions prior to 2.10.1 **Description** The plugin is subject to unauthenticated stored Cross-Site Scripting (XSS), a flaw where malicious scripts are permanently stored on the target server. This occurs due to insufficient input validation and output escaping in the SingleProduct field when nested within a Repeater field. Specifically, the `validate subfield()` method calls the `validate()` method, which only checks the quantity field and ignores the product name field, bypassing the `failed state validation()` mechanism. Consequently, an attacker can inject arbitrary HTML and JavaScript into the product name field. This input is saved without sanitization because `sanitize entry value()` returns raw values for this field type. The payload executes in an administrator's browser when they view the entry via the endpoint 'wp-admin/admin.php?page=gf entries' because the `get value entry detail()` method outputs the product name without escaping. **Recommendations** Update to a version later than 2.10.0.

**Name of the Vulnerable Software and Affected Versions** Gravity Forms versions prior to 2.10.1 **Description** The plugin is subject to unauthenticated stored Cross-Site Scripting (XSS), a flaw where malicious scripts are permanently stored on the target server and executed in the browser of a user. This occurs because of insufficient input validation and output escaping of Calculation Product field product names within Repeater fields. Specifically, the `validate()` method in the `GF Field Calculation` class fails to validate the product name field, and the `sanitize entry value()` method saves the raw value without sanitization. When an administrator with the `gravityforms view entries` capability views the entry detail page, the `get value entry detail()` method concatenates the unescaped product name into the output string, allowing arbitrary web scripts to execute. **Recommendations** Update to a version later than 2.10.0.

**Name of the Vulnerable Software and Affected Versions** Gravity Forms versions prior to 2.10.1 **Description** The plugin is subject to Stored Cross-Site Scripting (XSS) via hidden inputs in the Consent field. This occurs because of a flawed state validation mechanism that fails open when input is sanitized by `wp kses()`, combined with insufficient output escaping. The validation logic generates two hashes (one for raw input and one for `wp kses()` sanitized input) and only fails if both hashes differ from the original state. An unauthenticated attacker can inject XSS payloads using tags stripped by `wp kses()`, such as `<svg>`, allowing the malicious raw value to be saved to the database. The payload executes when an authenticated administrator views the Entries List page, as the stored consent label is output without proper escaping. **Recommendations** Update to a version later than 2.10.0.

**Name of the Vulnerable Software and Affected Versions** Gravity Forms versions prior to 2.10.1 **Description** The plugin is subject to Stored Cross-Site Scripting due to insufficient validation and output escaping of Product Option field values. The issue occurs because the state validation function accepts submitted values where the `wp kses()` sanitized version matches a legitimate option value, but the raw unsanitized value is stored in the database. Unauthenticated attackers can inject arbitrary web scripts into entry data. These scripts execute when an administrator views entry details in the Order Summary section, specifically where the `option label` is output without escaping in the 'view-order-summary.php' file at line 32. **Recommendations** Update to a version later than 2.10.0.

**Name of the Vulnerable Software and Affected Versions** Gravity Forms versions prior to 2.10.1 **Description** Stored Cross-Site Scripting occurs due to insufficient input validation and output escaping on Hidden Product field values when used inside Repeater fields. Specifically, repeater subfields bypass state validation checks, and the `validate()` method for Hidden Product only validates the quantity field, ignoring the product name field. This product name is subsequently output without proper escaping in the `get value entry detail()` method, allowing unauthenticated attackers to inject arbitrary web scripts through form submissions that execute when an administrator views the entry details. **Recommendations** Update to a version later than 2.10.0.

Name of the Vulnerable Software and Affected Versions Gravity Forms plugin for WordPress versions up to and including 2.9.30 Description The Gravity Forms plugin for WordPress is susceptible to Stored Cross-Site Scripting through the Credit Card field's 'Card Type' sub-field (`input <id>.4`). This occurs because the `get value entry detail()` method in the `GF Field CreditCard` class outputs the card type value without proper escaping, and the `get value save entry()` method accepts and stores unsanitized user input for the `input <id>.4` parameter. The Card Type field, while not typically displayed on the frontend form, is processed by the backend submission parser if included in the POST request, allowing unauthenticated attackers to inject malicious web scripts that execute when an administrator views the form entry in the WordPress dashboard. Recommendations Update Gravity Forms to a version later than 2.9.30.

**Name of the Vulnerable Software and Affected Versions** Blackhole for Bad Bots versions prior to 3.9 **Description** The Blackhole for Bad Bots plugin for WordPress is susceptible to Stored Cross-Site Scripting through the User-Agent HTTP header. This occurs because of inadequate input sanitization and output escaping. The plugin utilizes `sanitize text field()` to capture bot data, which removes HTML tags but does not escape HTML entities. The data is then stored using `update option()`. When an administrator views the Bad Bots log page, the stored data is directly inserted into HTML input value attributes (lines 75-83) without `esc attr()` and into HTML span content without `esc html()`. This allows unauthenticated attackers to inject malicious web scripts that execute when an administrator accesses the Blackhole Bad Bots admin page. **Recommendations** Update Blackhole for Bad Bots to version 3.9 or later.