Security and Bug Fixes Backported to v5

Featured image for the Gravity PDF v5 Security Updates blog post

We’ve backported a number of important security and bug fixes released in Gravity PDF 6.4 to Gravity PDF v5.4.1 and v5.3.5 so that users running older versions of our software can be a little safer. We’ve also released Gravity PDF v5.4.2 which resolves an issue with the Core Font Installer in pre-WordPress 5.9.

If you are still running v5 and cannot currently upgrade to v6, we strongly recommend installing v5.4.1 as soon as possible.

Gravity PDF v5 will receiving security and bug fixes until 27 April 2023. Ensure you’ve a migration plan in place to upgrade to v6 before we discontinue support for v5.

How to Update your Version of Gravity PDF

These updates are available via If you don’t get prompted to upgrade automatically in your WordPress admin area, you can install the update manually. To do so, locate the ‘Previous Versions’ dropdown at the bottom of the page, select the desired version and then download. Once completed, upload via File Upload in WordPress or via FTP.

If you have any questions or need assistance, please reach out to our friendly support team.


v5.3.5 and v5.4.1

Security Updates

  • Backport additional validation checks to the Core Font installer
  • Backport fix for potential XSS attack by escaping URL returned from add_query_args() on the PDF List or PDF Form Settings pages
  • Backport late-escaping from Gravity PDF 6.4
  • Backport earlier sanitizing of user input
  • Backport custom PDF template filenames are now limited to the following characters: A-Za-z0-9_-
  • Backport ?html=1 and ?data=1 developer helper parameters now only work in non-production environments (WP_ENVIRONMENT_TYPE !== 'production'), or when Gravity PDF Debug Mode is explicitly enabled
  • Backport prevent directory traversal when loading the various Gravity PDF UI components
  • Backport PDF Form Settings capability check from gravityforms_edit_settings to gravityforms_edit_forms

Bugs Fixed

  • Backport PHP8.1 type conversion warning in the template cache when transient’s are flushed
  • Backport background queue from continuing if retry limit reached on unrecoverable task (like generating the PDF)
  • Backport a race condition fix when using Background Processing that could see the PDF deleted before being attached to notifications
  • Adjust all links to point to


Bug Fixed

  • Remove wp_json_file_decode() function to fix Core Font Installer issue on pre-WordPress 5.9 versions
Stay on top!
Never miss out on the latest news and updates in Gravity PDF land. Subscribe to our newsletter now!