Description
The Gravity Forms plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `form_ids` parameter in the `gform_get_config` AJAX action in all versions up to, and including, 2.9.30. This is due to the `GFCommon::send_json()` method outputting JSON-encoded data wrapped in HTML comment delimiters using `echo` and `wp_die()`, which serves the response with a `Content-Type: text/html` header instead of `application/json`. The `wp_json_encode()` function does not HTML-encode angle brackets within JSON string values, allowing injected HTML/script tags in `form_ids` array values to be parsed and executed by the browser. The required `config_nonce` is generated with `wp_create_nonce('gform_config_ajax')` and is publicly embedded on every page that renders a Gravity Forms form, making it identical for all unauthenticated visitors within the same 12-hour nonce tick. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. This vulnerability cannot be exploited against users who are authenticated on the target system, but could be used to alter the target page.
Published: 2026-04-07
Score: 4.7 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Reflected Cross‑Site Scripting (XSS)
Action: Patch Now
AI Analysis

Impact

An attacker can embed malicious script tags into the form_ids parameter of the gform_get_config AJAX endpoint. Because the JSON response is served with a text/html content type and the JSON encoder does not escape angle brackets, the browser interprets the injected tags and executes the script. This reflected XSS flaw (CWE‑79) allows unauthenticated users to trick anyone visiting a Gravity Forms page into running arbitrary JavaScript, potentially defacing the page or exfiltrating data.

Affected Systems

All installations of Gravity Forms version 2.9.30 or earlier on WordPress sites are affected. The plugin exposes the AJAX action on any page that renders a form, and the client‑side nonce is identical across users, giving the flaw access to every unauthenticated visitor.

Risk and Exploitability

With a CVSS score of 4.7 the vulnerability is of moderate severity, largely due to its limited scope and the need for user interaction. EPSS data is unavailable and the flaw is not catalogued by CISA, indicating limited public exploitation to date. Attackers can craft a malicious link that triggers the vulnerable AJAX call, and because the response is not properly escaped once the user clicks, exploitation becomes trivial provided the user follows the link. The overall risk remains moderate but is still actionable.

Generated by OpenCVE AI on April 8, 2026 at 00:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Gravity Forms to version 2.9.31 or later
  • Remove or disable the Gravity Forms plugin if an upgrade is not immediately possible
  • Verify that the site no longer exposes the gform_get_config AJAX endpoint by scanning URLs

Generated by OpenCVE AI on April 8, 2026 at 00:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 08 Apr 2026 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Gravityforms
Gravityforms gravity Forms
Wordpress
Wordpress wordpress
Vendors & Products Gravityforms
Gravityforms gravity Forms
Wordpress
Wordpress wordpress

Wed, 08 Apr 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 07 Apr 2026 23:30:00 +0000

Type Values Removed Values Added
Description The Gravity Forms plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `form_ids` parameter in the `gform_get_config` AJAX action in all versions up to, and including, 2.9.30. This is due to the `GFCommon::send_json()` method outputting JSON-encoded data wrapped in HTML comment delimiters using `echo` and `wp_die()`, which serves the response with a `Content-Type: text/html` header instead of `application/json`. The `wp_json_encode()` function does not HTML-encode angle brackets within JSON string values, allowing injected HTML/script tags in `form_ids` array values to be parsed and executed by the browser. The required `config_nonce` is generated with `wp_create_nonce('gform_config_ajax')` and is publicly embedded on every page that renders a Gravity Forms form, making it identical for all unauthenticated visitors within the same 12-hour nonce tick. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. This vulnerability cannot be exploited against users who are authenticated on the target system, but could be used to alter the target page.
Title Gravity Forms <= 2.9.30 - Reflected Cross-Site Scripting via 'form_ids' Parameter
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 4.7, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

Gravityforms Gravity Forms
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:48:35.829Z

Reserved: 2026-03-18T20:50:03.678Z

Link: CVE-2026-4406

cve-icon Vulnrichment

Updated: 2026-04-08T15:15:15.355Z

cve-icon NVD

Status : Deferred

Published: 2026-04-08T00:16:05.490

Modified: 2026-04-27T19:04:22.650

Link: CVE-2026-4406

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-08T19:45:07Z

Weaknesses