Description
The Gravity Forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Credit Card field's 'Card Type' sub-field (`input_<id>.4`) in all versions up to, and including, 2.9.30. This is due to the `get_value_entry_detail()` method in the `GF_Field_CreditCard` class outputting the card type value without escaping, combined with `get_value_save_entry()` accepting and storing unsanitized user input for the `input_<id>.4` parameter. The Card Type field is not rendered on the frontend form (it is normally derived from the card number), but the backend submission parser blindly accepts it if included in the POST request. This makes it possible for unauthenticated attackers to inject arbitrary web scripts that execute when an administrator views the form entry in the WordPress dashboard.
Published: 2026-04-07
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting (XSS)
Action: Patch Now
AI Analysis

Impact

Gravity Forms, a WordPress plugin, contains a stored cross‑site scripting vulnerability that allows unauthenticated users to inject arbitrary JavaScript into the credit card "Card Type" sub‑field. The unsanitized value is stored in the database and rendered unescaped when an administrator views a form entry, enabling the attacker to execute malicious scripts with the administrator’s permissions. The flaw is a classic input validation issue (CWE‑79) that can lead to data theft, session hijacking, or defacement of the backend interface.

Affected Systems

The vulnerability affects the Gravity Forms plugin for WordPress in all releases up to and including version 2.9.30. Any WordPress site that has that plugin version installed and uses a credit‑card field in a form is potentially impacted.

Risk and Exploitability

The CVSS score of 6.1 indicates medium severity, and the vulnerability can be exploited by sending a crafted POST request containing a malicious value for input_<id>.4 to any form that uses the credit‑card field. The attacker does not need authentication or privileged access, making it a broad threat to sites that implement the affected plugin version. Although this flaw is not listed in the CISA KEV catalog and no EPSS score is available, the possibility of automated exploitation exists, especially if the site exposes a public form entry interface.

Generated by OpenCVE AI on April 8, 2026 at 00:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Gravity Forms to version 2.9.31 or later.
  • Verify that forms do not submit or store the "Card Type" sub-field; if necessary, disable or remove credit‑card fields from forms until a patch is applied.
  • Implement a Content Security Policy that restricts inline scripts to mitigate potential XSS until a patch is in place.
  • Monitor the WordPress Admin dashboard for unexpected script execution and review entry logs for suspicious changes.

Generated by OpenCVE AI on April 8, 2026 at 00:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 08 Apr 2026 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Gravityforms
Gravityforms gravity Forms
Wordpress
Wordpress wordpress
Vendors & Products Gravityforms
Gravityforms gravity Forms
Wordpress
Wordpress wordpress

Wed, 08 Apr 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 07 Apr 2026 23:30:00 +0000

Type Values Removed Values Added
Description The Gravity Forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Credit Card field's 'Card Type' sub-field (`input_<id>.4`) in all versions up to, and including, 2.9.30. This is due to the `get_value_entry_detail()` method in the `GF_Field_CreditCard` class outputting the card type value without escaping, combined with `get_value_save_entry()` accepting and storing unsanitized user input for the `input_<id>.4` parameter. The Card Type field is not rendered on the frontend form (it is normally derived from the card number), but the backend submission parser blindly accepts it if included in the POST request. This makes it possible for unauthenticated attackers to inject arbitrary web scripts that execute when an administrator views the form entry in the WordPress dashboard.
Title Gravity Forms <= 2.9.30 - Unauthenticated Stored Cross-Site Scripting via Credit Card 'Card Type' Sub-Field
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

Gravityforms Gravity Forms
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:59:52.157Z

Reserved: 2026-03-18T15:38:35.787Z

Link: CVE-2026-4394

cve-icon Vulnrichment

Updated: 2026-04-08T14:47:28.695Z

cve-icon NVD

Status : Deferred

Published: 2026-04-08T00:16:05.147

Modified: 2026-04-27T19:04:22.650

Link: CVE-2026-4394

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-08T19:45:05Z

Weaknesses