CVE-2025-53263

Vulnerability

Overview

The Address Autocomplete via Google for Gravity Forms plugin for WordPress (versions up to and including 1.3.4) is affected by a Cross-Site Request Forgery (CSRF) vulnerability [1]. This flaw arises from insufficient validation of requests, allowing a malicious actor to trick authenticated users into performing unintended actions without their knowledge.

Exploitation

Details

Exploitation requires user interaction—the attacker must convince a privileged user (e.g., an administrator) to click a malicious link, visit a crafted page, or submit a specially designed form [1]. Because the request appears legitimate to the application, the victim's session can be used to execute unwanted operations under their current authentication level.

Impact

Successful exploitation could enable an attacker to force higher-privileged users to perform actions such as modifying plugin settings, altering configurations, or performing other state-changing operations [1]. The CVSS v3 score is 5.4 (Medium), indicating moderate severity with a requirement for user interaction.

Mitigation

The vendor has released version 1.3.5, which resolves the vulnerability [1]. Users are strongly advised to update immediately or enable auto-updates for vulnerable plugins. No workarounds are currently documented, and the issue is considered low severity but may be targeted in mass-exploit campaigns.