{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-4406", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-03-18T20:50:03.678Z", "datePublished": "2026-04-07T23:25:27.669Z", "dateUpdated": "2026-04-08T16:48:35.829Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:48:35.829Z"}, "affected": [{"vendor": "Gravity Forms", "product": "Gravity Forms", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "2.9.30", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Gravity Forms plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `form_ids` parameter in the `gform_get_config` AJAX action in all versions up to, and including, 2.9.30. This is due to the `GFCommon::send_json()` method outputting JSON-encoded data wrapped in HTML comment delimiters using `echo` and `wp_die()`, which serves the response with a `Content-Type: text/html` header instead of `application/json`. The `wp_json_encode()` function does not HTML-encode angle brackets within JSON string values, allowing injected HTML/script tags in `form_ids` array values to be parsed and executed by the browser. The required `config_nonce` is generated with `wp_create_nonce('gform_config_ajax')` and is publicly embedded on every page that renders a Gravity Forms form, making it identical for all unauthenticated visitors within the same 12-hour nonce tick. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. This vulnerability cannot be exploited against users who are authenticated on the target system, but could be used to alter the target page."}], "title": "Gravity Forms <= 2.9.30 - Reflected Cross-Site Scripting via 'form_ids' Parameter", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/4126d452-65a9-48f5-a3f5-5be1b8fff80c?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/gravityforms/trunk/common.php#L8267"}, {"url": "https://plugins.trac.wordpress.org/browser/gravityforms/trunk/includes/config/class-gf-config-collection.php#L56"}, {"url": "https://plugins.trac.wordpress.org/browser/gravityforms/trunk/includes/config/class-gf-config-service-provider.php#L144"}, {"url": "https://plugins.trac.wordpress.org/browser/gravityforms/trunk/includes/config/items/class-gf-config-global.php#L22"}, {"url": "https://docs.gravityforms.com/gravityforms-change-log/"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N", "baseScore": 4.7, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Anthony Cihan"}], "timeline": [{"time": "2026-03-18T21:05:25.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-04-07T10:36:04.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-08T15:15:11.294642Z", "id": "CVE-2026-4406", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-08T15:15:19.348Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-4406", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-08T15:15:11.294642Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-08T15:15:15.355Z"}}], "cna": {"title": "Gravity Forms <= 2.9.30 - Reflected Cross-Site Scripting via 'form_ids' Parameter", "credits": [{"lang": "en", "type": "finder", "value": "Anthony Cihan"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.7, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "Gravity Forms", "product": "Gravity Forms", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "2.9.30"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-03-18T21:05:25.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2026-04-07T10:36:04.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/4126d452-65a9-48f5-a3f5-5be1b8fff80c?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/gravityforms/trunk/common.php#L8267"}, {"url": "https://plugins.trac.wordpress.org/browser/gravityforms/trunk/includes/config/class-gf-config-collection.php#L56"}, {"url": "https://plugins.trac.wordpress.org/browser/gravityforms/trunk/includes/config/class-gf-config-service-provider.php#L144"}, {"url": "https://plugins.trac.wordpress.org/browser/gravityforms/trunk/includes/config/items/class-gf-config-global.php#L22"}, {"url": "https://docs.gravityforms.com/gravityforms-change-log/"}], "descriptions": [{"lang": "en", "value": "The Gravity Forms plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `form_ids` parameter in the `gform_get_config` AJAX action in all versions up to, and including, 2.9.30. This is due to the `GFCommon::send_json()` method outputting JSON-encoded data wrapped in HTML comment delimiters using `echo` and `wp_die()`, which serves the response with a `Content-Type: text/html` header instead of `application/json`. The `wp_json_encode()` function does not HTML-encode angle brackets within JSON string values, allowing injected HTML/script tags in `form_ids` array values to be parsed and executed by the browser. The required `config_nonce` is generated with `wp_create_nonce('gform_config_ajax')` and is publicly embedded on every page that renders a Gravity Forms form, making it identical for all unauthenticated visitors within the same 12-hour nonce tick. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. This vulnerability cannot be exploited against users who are authenticated on the target system, but could be used to alter the target page."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:48:35.829Z"}}}, "cveMetadata": {"cveId": "CVE-2026-4406", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:48:35.829Z", "dateReserved": "2026-03-18T20:50:03.678Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-04-07T23:25:27.669Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Gravity Forms plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `form_ids` parameter in the `gform_get_config` AJAX action in all versions up to, and including, 2.9.30. This is due to the `GFCommon::send_json()` method outputting JSON-encoded data wrapped in HTML comment delimiters using `echo` and `wp_die()`, which serves the response with a `Content-Type: text/html` header instead of `application/json`. The `wp_json_encode()` function does not HTML-encode angle brackets within JSON string values, allowing injected HTML/script tags in `form_ids` array values to be parsed and executed by the browser. The required `config_nonce` is generated with `wp_create_nonce('gform_config_ajax')` and is publicly embedded on every page that renders a Gravity Forms form, making it identical for all unauthenticated visitors within the same 12-hour nonce tick. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. This vulnerability cannot be exploited against users who are authenticated on the target system, but could be used to alter the target page."}], "id": "CVE-2026-4406", "lastModified": "2026-04-27T19:04:22.650", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Primary"}]}, "published": "2026-04-08T00:16:05.490", "references": [{"source": "security@wordfence.com", "url": "https://docs.gravityforms.com/gravityforms-change-log/"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/gravityforms/trunk/common.php#L8267"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/gravityforms/trunk/includes/config/class-gf-config-collection.php#L56"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/gravityforms/trunk/includes/config/class-gf-config-service-provider.php#L144"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/gravityforms/trunk/includes/config/items/class-gf-config-global.php#L22"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/4126d452-65a9-48f5-a3f5-5be1b8fff80c?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.9.30]"}}], "enrichment": {"confidence": 98.0, "confidence_source": "matching", "scores": [{"score": 98.0, "source": "matching"}]}, "original": {"product": "Gravity Forms", "source": "cna", "vendor": "Gravity Forms"}, "product": "gravity_forms", "vendor": "gravityforms"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-08T00:21:00.549741+00:00", "value": {"mitigation_remediation": ["Upgrade Gravity Forms to version 2.9.31 or later", "Remove or disable the Gravity Forms plugin if an upgrade is not immediately possible", "Verify that the site no longer exposes the gform_get_config AJAX endpoint by scanning URLs"], "summary": {"action": "Patch Now", "impact": "Reflected Cross\u2011Site Scripting (XSS)"}, "threat_synthesis": {"affected_systems": "All installations of Gravity Forms version 2.9.30 or earlier on WordPress sites are affected. The plugin exposes the AJAX action on any page that renders a form, and the client\u2011side nonce is identical across users, giving the flaw access to every unauthenticated visitor.", "description_and_impact": "An attacker can embed malicious script tags into the form_ids parameter of the gform_get_config AJAX endpoint. Because the JSON response is served with a text/html content type and the JSON encoder does not escape angle brackets, the browser interprets the injected tags and executes the script. This reflected XSS flaw (CWE\u201179) allows unauthenticated users to trick anyone visiting a Gravity Forms page into running arbitrary JavaScript, potentially defacing the page or exfiltrating data.", "risk_and_exploitability": "With a CVSS score of 4.7 the vulnerability is of moderate severity, largely due to its limited scope and the need for user interaction. EPSS data is unavailable and the flaw is not catalogued by CISA, indicating limited public exploitation to date. Attackers can craft a malicious link that triggers the vulnerable AJAX call, and because the response is not properly escaped once the user clicks, exploitation becomes trivial provided the user follows the link. The overall risk remains moderate but is still actionable."}}}}, "created": "2026-04-08T19:33:47.733572+00:00", "updated": "2026-04-08T19:45:07.062363+00:00", "vendors": ["gravityforms", "gravityforms$PRODUCT$gravity_forms", "wordpress", "wordpress$PRODUCT$wordpress"]}