Gravity PDF 6.9.1 Prevents PDF Download Link Vulnerability

Summary

This update includes a security enhancement that prevents a user creating a vulnerability when using the PDF Download Link with the Gravity Forms Page Confirmation.

Does this vulnerability affect you?

To be affected site owners would need to have added a [gravitypdf] shortcode – which generates a PDF Download Link – on a public WordPress post/page, and have specifically enabled the optional Signed PDF URL feature

Since August 2022, the Gravity PDF documentation for the Page Confirmation and PDF Download Link configuration has included a prominent alert warning users about the potential for misconfiguration.

A screenshot of the warning in the Gravity PDF documentation. It reads "Do not use the Signed PDF URL feature with this confirmation type, as an end user will be able to change the entry ID in the URL and get access to other PDFs. Signed URLs can be safely used with Text or Redirect Confirmation types. Alternatively, non-signed PDF URLs are not vulnerable, and can be safely used in Page Confirmations."
An alert shown in the Page Confirmation section of Gravity PDF documentation warning users about this vulnerability.

To prevent this vulnerability altogether, the 6.9.1 release automatically disables the Signed PDF URL feature whenever the entry ID is supplied by the user (which is the case with the Page Confirmations).

Refer to our documentation to learn more about the security protocols Gravity PDF uses to prevent unauthorised access to your PDFs.

How to Upgrade Gravity PDF?

This update is available via WordPress One-Click Updates, or the plugin can be downloaded from WordPress.org and installed manually via File Upload or FTP.

If you have any questions or need assistance, please reach out to our friendly support team.

Changelog

Security

  • Disable the Signed URL feature in the [gravitypdf] shortcode when a URL parameter provides the entry ID (e.g. Page Confirmations)

Housekeeping

  • Small improvement to performance when reading template and font files from disk

Bugs Fixed

  • Gracefully handle invalid conditional logic rules when adding date entry meta support
  • Display field for entry metadata PDF conditional rule when there are no form fields compatible with conditional logic
  • Ensure the template cache is correctly cleared when PDF Debug Mode is enabled
  • Flush the template cache after installing new templates via the PDF Template Manager
  • Clear template cache when plugin deactivated
Stay on top!
Never miss out on the latest news and updates in Gravity PDF land. Subscribe to our newsletter now!
SUBSCRIBE
Dan Tabifranca
Dan Tabifranca
Dan Tabifranca is the marketing director at Gravity PDF.