Description
The Magic Conversation For Gravity Forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'magic-conversation' shortcode in all versions up to, and including, 3.0.97 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2026-04-08
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting
Action: Patch Now
AI Analysis

Impact

Stored Cross‑Site Scripting in the Magic Conversation For Gravity Forms plugin allows an attacker with contributor or higher privileges to insert arbitrary JavaScript through shortcode attributes. The output does not escape or sanitize user input, which can lead to script execution on pages rendered by any site visitor. This can result in session hijacking, defacement, or other client‑side attacks.

Affected Systems

WordPress sites that use the Magic Conversation For Gravity Forms plugin, versions 3.0.0 through 3.0.97. Only plugins up to the listed version are affected; newer releases are presumed patched.

Risk and Exploitability

The CVSS v3 score of 6.4 indicates moderate severity. The vulnerability does not have an EPSS score published, and it is not listed in the CISA KEV catalogue. Exploitation requires authenticated access to the WordPress administrative interface with contributor or higher role, and the attacker must supply a malicious shortcode that is later rendered to visitors. Once the malicious code is injected, any visitor who loads the page will execute the script.

Generated by OpenCVE AI on April 8, 2026 at 09:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Magic Conversation For Gravity Forms plugin to the latest stable release (≥3.0.98).
  • If an upgrade is not immediately possible, reduce the site’s contributor role permissions or temporarily deactivate the plugin until a patch is available.

Generated by OpenCVE AI on April 8, 2026 at 09:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 13 Apr 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 08 Apr 2026 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Magicplugins
Magicplugins magic Conversation For Gravity Forms
Wordpress
Wordpress wordpress
Vendors & Products Magicplugins
Magicplugins magic Conversation For Gravity Forms
Wordpress
Wordpress wordpress

Wed, 08 Apr 2026 08:45:00 +0000

Type Values Removed Values Added
Description The Magic Conversation For Gravity Forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'magic-conversation' shortcode in all versions up to, and including, 3.0.97 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title Magic Conversation For Gravity Forms <= 3.0.97 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Magicplugins Magic Conversation For Gravity Forms
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-13T15:15:09.808Z

Reserved: 2026-01-23T21:15:43.701Z

Link: CVE-2026-1396

cve-icon Vulnrichment

Updated: 2026-04-13T15:11:59.048Z

cve-icon NVD

Status : Deferred

Published: 2026-04-08T09:16:20.167

Modified: 2026-04-24T18:15:28.940

Link: CVE-2026-1396

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-08T19:43:25Z

Weaknesses