The Real Time Validation for Gravity Forms WordPress plugin contains a CWE‑352 Cross‑Site Request Forgery flaw that allows an attacker to forge a request and change the plugin’s configuration without the user’s knowledge. Because the settings control how form data is validated, an attacker could weaken or bypass validation, potentially enabling other injection or data manipulation attacks. The impact is configuration compromise which may undermine the security posture of the website but does not directly release data or execute code.

The plugin, developed by Daman Jeet, is vulnerable in all releases up to and including version 1.7.0. Any site that runs the Real Time Validation for Gravity Forms plugin at a version equal to or lower than 1.7.0 is at risk.

The CVSS score of 4.3 places this flaw in the low‑to‑medium severity range. The EPSS score of less than 1% indicates a very low likelihood of exploitation in the wild, and the flaw is not listed in CISA’s KEV catalog. Exploitation requires a browser session that has an authenticated cookie of a user with permission to edit plugin settings; the attacker must entice or impersonate such a user or leverage a logged‑in visitor to submit a crafted request. The attack vector is remote via a web browser, and no additional system privileges are needed.