Gravity Forms Vulnerability for versions <= 2.9.1.3

in

Workhorse relies heavily on the Gravity Forms plugin to implement forms on websites we build and manage, including our own. This means a recent vulnerability disclosed on January 16, 2025 has affected many of our websites.

The cross-site scripting vulnerability, affecting versions <= 2.9.1.3, was rated as a 5.4/10 on the CVSS scale, or a “medium,” severity. However Patchstack (a popular WordPress vulnerability patching and monitoring service) rated it a 7.1.

Regardless, Workhorse is in the process of remediating this on all websites. In addition, we using “virtual patching” to mitigate this issue so it is not currently exploitable on our websites.

UPDATE 1/19/25 – All Workhorse managed websites are fully patched & tested

What do I need to do about the Gravity Forms <= 2.9.1.3 XSS vulnerability?

If you are a Workhorse client that we host or whose site we proactively manage, we’ve already patched this vulnerability for you as of January 19, 2025. If you are not or you’re not sure, please contact us.