{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-3492", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-03-03T16:42:20.561Z", "datePublished": "2026-03-11T09:25:43.761Z", "dateUpdated": "2026-04-08T17:13:09.977Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:13:09.977Z"}, "affected": [{"vendor": "Gravity Forms", "product": "Gravity Forms", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "2.9.28", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Gravity Forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 2.9.28.1. This is due to a compound failure involving missing authorization on the `create_from_template` AJAX endpoint (allowing any authenticated user to create forms), insufficient input sanitization (`sanitize_text_field()` preserves single quotes), and missing output escaping when the form title is rendered in the Form Switcher dropdown (`title` attribute constructed without `esc_attr()`, and JavaScript `saferHtml` utility only escapes `&`, `<`, `>` but not quotes). This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary JavaScript that executes when an Administrator searches in the Form Switcher dropdown in the Form Editor."}], "title": "Gravity Forms <= 2.9.28.1 - Authenticated (Subscriber+) Stored Cross-Site Scripting via Form Title", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a4d16ccd-149a-4f70-84b4-59429827baa5?source=cve"}, {"url": "https://docs.gravityforms.com/gravityforms-change-log/"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Ph\u00fa"}], "timeline": [{"time": "2026-03-03T16:57:31.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-03-10T21:09:42.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-11T13:19:19.851812Z", "id": "CVE-2026-3492", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-11T13:22:57.915Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-3492", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-11T13:19:19.851812Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-11T13:22:05.351Z"}}], "cna": {"title": "Gravity Forms <= 2.9.28.1 - Authenticated (Subscriber+) Stored Cross-Site Scripting via Form Title", "credits": [{"lang": "en", "type": "finder", "value": "Ph\u00fa"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "Gravity Forms", "product": "Gravity Forms", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "2.9.28"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-03-03T16:57:31.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2026-03-10T21:09:42.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a4d16ccd-149a-4f70-84b4-59429827baa5?source=cve"}, {"url": "https://docs.gravityforms.com/gravityforms-change-log/"}], "descriptions": [{"lang": "en", "value": "The Gravity Forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 2.9.28.1. This is due to a compound failure involving missing authorization on the `create_from_template` AJAX endpoint (allowing any authenticated user to create forms), insufficient input sanitization (`sanitize_text_field()` preserves single quotes), and missing output escaping when the form title is rendered in the Form Switcher dropdown (`title` attribute constructed without `esc_attr()`, and JavaScript `saferHtml` utility only escapes `&`, `<`, `>` but not quotes). This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary JavaScript that executes when an Administrator searches in the Form Switcher dropdown in the Form Editor."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:13:09.977Z"}}}, "cveMetadata": {"cveId": "CVE-2026-3492", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:13:09.977Z", "dateReserved": "2026-03-03T16:42:20.561Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-03-11T09:25:43.761Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Gravity Forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 2.9.28.1. This is due to a compound failure involving missing authorization on the `create_from_template` AJAX endpoint (allowing any authenticated user to create forms), insufficient input sanitization (`sanitize_text_field()` preserves single quotes), and missing output escaping when the form title is rendered in the Form Switcher dropdown (`title` attribute constructed without `esc_attr()`, and JavaScript `saferHtml` utility only escapes `&`, `<`, `>` but not quotes). This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary JavaScript that executes when an Administrator searches in the Form Switcher dropdown in the Form Editor."}, {"lang": "es", "value": "El plugin Gravity Forms para WordPress es vulnerable a cross-site scripting almacenado en todas las versiones hasta la 2.9.28.1, inclusive. Esto se debe a un fallo compuesto que implica una autorizaci\u00f3n faltante en el endpoint AJAX `create_from_template` (permitiendo a cualquier usuario autenticado crear formularios), saneamiento de entrada insuficiente (`sanitize_text_field()` conserva las comillas simples), y escape de salida faltante cuando el t\u00edtulo del formulario se renderiza en el desplegable del Selector de Formularios (atributo `title` construido sin `esc_attr()`, y la utilidad JavaScript `saferHtml` solo escapa `&amp;`, `&lt;`, `&gt;` pero no las comillas). Esto hace posible que atacantes autenticados, con acceso de nivel Suscriptor y superior, inyecten JavaScript arbitrario que se ejecuta cuando un Administrador busca en el desplegable del Selector de Formularios en el Editor de Formularios."}], "id": "CVE-2026-3492", "lastModified": "2026-04-22T21:27:27.950", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-03-11T10:16:14.050", "references": [{"source": "security@wordfence.com", "url": "https://docs.gravityforms.com/gravityforms-change-log/"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a4d16ccd-149a-4f70-84b4-59429827baa5?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.9.28]"}}], "enrichment": {"confidence": 98.0, "confidence_source": "matching", "scores": [{"score": 98.0, "source": "matching"}]}, "original": {"product": "Gravity Forms", "source": "cna", "vendor": "Gravity Forms"}, "product": "gravity_forms", "vendor": "gravityforms"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-03-17T16:35:43.178562+00:00", "value": {"mitigation_remediation": ["Upgrade Gravity Forms to the latest available version (>=2.9.28.2).", "Verify the installed plugin version to confirm it is no longer affected."], "summary": {"action": "Apply Patch", "impact": "Stored Cross\u2011Site Scripting allowing arbitrary client\u2011side code execution"}, "threat_synthesis": {"affected_systems": "All installations of the Gravity Forms plugin for WordPress up to and including version 2.9.28.1 are affected. The vulnerable component is the create_from_template AJAX endpoint and the form title rendering in the Form Switcher dropdown.", "description_and_impact": "Gravity Forms for WordPress is vulnerable to a stored XSS flaw caused by missing authorization on the create_from_template AJAX endpoint, inadequate input sanitization, and unsafe output rendering. This permits an authenticated user with Subscriber or higher privileges to inject malicious JavaScript that runs in the context of an Administrator when searching in the Form Switcher dropdown within the Form Editor. The flaw is classified as CWE\u201179. The resultant effect is client\u2011side execution that could steal session cookies, deface the site, or perform other malicious actions within the scope of an administrator\u2019s session.", "risk_and_exploitability": "The CVSS base score is 6.4, indicating a moderate severity level. The EPSS score is less than 1%, suggesting a low probability of mass exploitation, and the vulnerability is not listed in the CISA KEV catalog. Attackers require valid authentication as a user with Subscriber or higher privileges, so the risk is limited to compromised or poorly secured sites that allow such authenticated access. Given the lack of readily available public exploits and the need for authentication, the immediate risk to public\u2011facing sites is moderate but non\u2011negligible."}}}}, "created": "2026-03-12T10:06:08.198869+00:00", "updated": "2026-03-20T14:37:29.446777+00:00", "vendors": ["gravityforms", "gravityforms$PRODUCT$gravity_forms", "wordpress", "wordpress$PRODUCT$wordpress"]}