CVE-2024-13377
GravityForms <= 2.9.1.3 - Unauthenticated Stored Cross-Site Scripting via 'alt' parameterThe Gravity Forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘alt’ parameter in all versions up to, and including, 2.9.1.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
We have discovered 360,154 live websites that are affected by CVE-2024-13377.
Affected Software
| Product |  Gravity Forms |
| Category | Wordpress Plugins |
| Vulnerable Domains | 360,154 live websites (64.73% of Gravity Forms install base) |
| Vulnerable Versions |
|
| Vulnerable Versions Count | 704 versions ( 98.32% of all versions) |
Common Weakness Enumeration
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')Details
- Published - Jan 17, 2025
- Updated - Feb 12, 2025
Credits
- Michael Mazzolini (finder)
CWE
CVE References
CWE References
CVE-2024-13377 usage by Country
 United States | 241,240 websites |
 Netherlands | 15,601 websites |
 GB | 14,516 websites |
 Germany | 13,607 websites |
 France | 12,909 websites |
 Australia | 12,638 websites |
 Canada | 6,518 websites |
 Singapore | 4,054 websites |
 Belgium | 3,373 websites |
 South Africa | 3,367 websites |
CVE-2024-13377 usage by TLD
| .com | 207,744 websites |
| .org | 23,819 websites |
| .com.au | 18,466 websites |
| .nl | 17,092 websites |
| .co.uk | 14,426 websites |
| .ca | 9,050 websites |
| .net | 7,673 websites |
| .fr | 6,834 websites |
| .de | 5,290 websites |
| .be | 2,859 websites |
Vulnerable Versions
Vulnerable versions are highlighted in redWebsites affected by CVE-2024-13377
Top websites that are affected by CVE-2024-13377. Please click on the "Contact us" link to get more information.| Domain | Country | Rank | Contacts |
|---|---|---|---|
| ******.org | United States | *** | |
| *********.de | Germany | *** | |
| *********.com | United States | *** | |
| ***********.com | United States | *,*** | |
| **********.com | United States | *,*** | |
| ************.com | United States | *,*** | |
| ***.com | United States | *,*** | |
| *******.com | United States | *,*** | |
| **********.com | United States | *,*** | |
| ***********.com | United States | *,*** |
FAQ
CVE-2024-13377 is Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in Gravity Forms
A total of 360,154 websites have been identified as vulnerable to CVE-2024-13377, discovered through global website indexing conducted by WebTechSurvey.
Gravity Forms is susceptible to CVE-2024-13377 vulnerability.
Gravity Forms versions before, and including, 2.9.1.3 are vulnerable to CVE-2024-13377.