CVE-2026-3492
Received Received - Intake
Stored XSS in Gravity Forms AJAX Endpoint Allows Script Injection

Publication date: 2026-03-11

Last updated on: 2026-03-11

Assigner: Wordfence

Description
The Gravity Forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 2.9.28.1. This is due to a compound failure involving missing authorization on the `create_from_template` AJAX endpoint (allowing any authenticated user to create forms), insufficient input sanitization (`sanitize_text_field()` preserves single quotes), and missing output escaping when the form title is rendered in the Form Switcher dropdown (`title` attribute constructed without `esc_attr()`, and JavaScript `saferHtml` utility only escapes `&`, `<`, `>` but not quotes). This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary JavaScript that executes when an Administrator searches in the Form Switcher dropdown in the Form Editor.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-11
Last Modified
2026-03-11
Generated
2026-06-16
AI Q&A
2026-03-11
EPSS Evaluated
2026-06-15
NVD
CVE-2026-3492
EUVD
EUVD-2026-11133
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
rocketgenius gravity_forms 2.9.28.1
rocketgenius gravity_forms From 2.9.18 (inc) to 2.9.29 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The Gravity Forms plugin for WordPress has a Stored Cross-Site Scripting (XSS) vulnerability in all versions up to and including 2.9.28.1. This vulnerability arises from multiple issues: missing authorization on the `create_from_template` AJAX endpoint which allows any authenticated user to create forms, insufficient input sanitization because `sanitize_text_field()` preserves single quotes, and missing output escaping when the form title is displayed in the Form Switcher dropdown. Specifically, the `title` attribute is constructed without proper escaping (`esc_attr()`), and the JavaScript `saferHtml` utility only escapes certain characters but not quotes. As a result, an authenticated attacker with Subscriber-level access or higher can inject arbitrary JavaScript that executes when an Administrator uses the Form Switcher dropdown in the Form Editor.

Impact Analysis

This vulnerability allows an authenticated attacker with Subscriber-level access or above to inject and execute arbitrary JavaScript code in the context of an Administrator's browser when they interact with the Form Switcher dropdown in the Form Editor. This can lead to unauthorized actions, data theft, session hijacking, or other malicious activities performed with the Administrator's privileges.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

To mitigate the vulnerability in the Gravity Forms plugin for WordPress (CVE-2026-3492), you should update the plugin to a version later than 2.9.28.1, as all versions up to and including 2.9.28.1 are vulnerable.

The updates between versions 2.9.18 and 2.9.29 include multiple security enhancements and bug fixes that address this and other vulnerabilities.

Additionally, ensure that only trusted users have authenticated access to the WordPress site, as the vulnerability allows any authenticated user with Subscriber-level access and above to exploit it.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-3492. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart