Description
The Gravity Forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 2.9.28.1. This is due to a compound failure involving missing authorization on the `create_from_template` AJAX endpoint (allowing any authenticated user to create forms), insufficient input sanitization (`sanitize_text_field()` preserves single quotes), and missing output escaping when the form title is rendered in the Form Switcher dropdown (`title` attribute constructed without `esc_attr()`, and JavaScript `saferHtml` utility only escapes `&`, `<`, `>` but not quotes). This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary JavaScript that executes when an Administrator searches in the Form Switcher dropdown in the Form Editor.
Published: 2026-03-11
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting allowing arbitrary client‑side code execution
Action: Apply Patch
AI Analysis

Impact

Gravity Forms for WordPress is vulnerable to a stored XSS flaw caused by missing authorization on the create_from_template AJAX endpoint, inadequate input sanitization, and unsafe output rendering. This permits an authenticated user with Subscriber or higher privileges to inject malicious JavaScript that runs in the context of an Administrator when searching in the Form Switcher dropdown within the Form Editor. The flaw is classified as CWE‑79. The resultant effect is client‑side execution that could steal session cookies, deface the site, or perform other malicious actions within the scope of an administrator’s session.

Affected Systems

All installations of the Gravity Forms plugin for WordPress up to and including version 2.9.28.1 are affected. The vulnerable component is the create_from_template AJAX endpoint and the form title rendering in the Form Switcher dropdown.

Risk and Exploitability

The CVSS base score is 6.4, indicating a moderate severity level. The EPSS score is less than 1%, suggesting a low probability of mass exploitation, and the vulnerability is not listed in the CISA KEV catalog. Attackers require valid authentication as a user with Subscriber or higher privileges, so the risk is limited to compromised or poorly secured sites that allow such authenticated access. Given the lack of readily available public exploits and the need for authentication, the immediate risk to public‑facing sites is moderate but non‑negligible.

Generated by OpenCVE AI on March 17, 2026 at 16:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Gravity Forms to the latest available version (>=2.9.28.2).
  • Verify the installed plugin version to confirm it is no longer affected.

Generated by OpenCVE AI on March 17, 2026 at 16:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 12 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Gravityforms
Gravityforms gravity Forms
Wordpress
Wordpress wordpress
Vendors & Products Gravityforms
Gravityforms gravity Forms
Wordpress
Wordpress wordpress

Wed, 11 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 11 Mar 2026 09:45:00 +0000

Type Values Removed Values Added
Description The Gravity Forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 2.9.28.1. This is due to a compound failure involving missing authorization on the `create_from_template` AJAX endpoint (allowing any authenticated user to create forms), insufficient input sanitization (`sanitize_text_field()` preserves single quotes), and missing output escaping when the form title is rendered in the Form Switcher dropdown (`title` attribute constructed without `esc_attr()`, and JavaScript `saferHtml` utility only escapes `&`, `<`, `>` but not quotes). This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary JavaScript that executes when an Administrator searches in the Form Switcher dropdown in the Form Editor.
Title Gravity Forms <= 2.9.28.1 - Authenticated (Subscriber+) Stored Cross-Site Scripting via Form Title
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Gravityforms Gravity Forms
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-03-11T13:22:57.915Z

Reserved: 2026-03-03T16:42:20.561Z

Link: CVE-2026-3492

cve-icon Vulnrichment

Updated: 2026-03-11T13:22:05.351Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-11T10:16:14.050

Modified: 2026-03-11T13:52:47.683

Link: CVE-2026-3492

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-20T14:37:29Z

Weaknesses