CVE-2026-4406
Received Received - Intake
Reflected XSS in Gravity Forms Plugin via form_ids Parameter

Publication date: 2026-04-08

Last updated on: 2026-04-08

Assigner: Wordfence

Description
The Gravity Forms plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `form_ids` parameter in the `gform_get_config` AJAX action in all versions up to, and including, 2.9.30. This is due to the `GFCommon::send_json()` method outputting JSON-encoded data wrapped in HTML comment delimiters using `echo` and `wp_die()`, which serves the response with a `Content-Type: text/html` header instead of `application/json`. The `wp_json_encode()` function does not HTML-encode angle brackets within JSON string values, allowing injected HTML/script tags in `form_ids` array values to be parsed and executed by the browser. The required `config_nonce` is generated with `wp_create_nonce('gform_config_ajax')` and is publicly embedded on every page that renders a Gravity Forms form, making it identical for all unauthenticated visitors within the same 12-hour nonce tick. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. This vulnerability cannot be exploited against users who are authenticated on the target system, but could be used to alter the target page.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-08
Last Modified
2026-04-08
Generated
2026-05-07
AI Q&A
2026-04-08
EPSS Evaluated
2026-05-05
NVD
CVE-2026-4406
EUVD
EUVD-2026-19994
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
rocketgenius gravity_forms to 2.9.30 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

The Gravity Forms plugin for WordPress has a Reflected Cross-Site Scripting (XSS) vulnerability via the `form_ids` parameter in the `gform_get_config` AJAX action in all versions up to and including 2.9.30.

This happens because the method `GFCommon::send_json()` outputs JSON-encoded data wrapped in HTML comment delimiters using `echo` and `wp_die()`, serving the response with a `Content-Type: text/html` header instead of `application/json`.

The `wp_json_encode()` function does not HTML-encode angle brackets within JSON string values, which allows injected HTML or script tags in the `form_ids` array values to be parsed and executed by the browser.

Although a `config_nonce` is required and generated with `wp_create_nonce('gform_config_ajax')`, it is publicly embedded on every page rendering a Gravity Forms form and is identical for all unauthenticated visitors within the same 12-hour nonce tick.

This makes it possible for unauthenticated attackers to inject arbitrary web scripts into pages that execute if a user is tricked into performing an action like clicking a link.

The vulnerability cannot be exploited against authenticated users on the target system but could be used to alter the target page.


How can this vulnerability impact me? :

This vulnerability allows unauthenticated attackers to inject and execute arbitrary scripts in the context of the affected website.

If a user is tricked into clicking a malicious link, the injected scripts could run in their browser, potentially leading to actions such as stealing session information, redirecting users to malicious sites, or altering the content of the affected page.

However, the vulnerability cannot be exploited against authenticated users, which limits some attack scenarios.

The overall impact is a moderate risk of information disclosure and integrity loss of the web page content.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart