CVE-2026-4406 MEDIUM

CVE-2026-4406: Gravity Forms <= 2.9.30 - Reflected Cross-Site Scripting via 'form_ids' Parameter

Vendor Gravity Forms
Product Gravity Forms
Weakness CWE-79 · XSS
Published April 7, 2026
Last update April 8, 2026

CVSS base score

4.7/10
Attack vector Network
Attack complexity High
Privileges required None
User interaction Required
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N

What the vulnerability does

01Description

The Gravity Forms plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `form_ids` parameter in the `gform_get_config` AJAX action in all versions up to, and including, 2.9.30. This is due to the `GFCommon::send_json()` method outputting JSON-encoded data wrapped in HTML comment delimiters using `echo` and `wp_die()`, which serves the response with a `Content-Type: text/html` header instead of `application/json`. The `wp_json_encode()` function does not HTML-encode angle brackets within JSON string values, allowing injected HTML/script tags in `form_ids` array values to be parsed and executed by the browser. The required `config_nonce` is generated with `wp_create_nonce('gform_config_ajax')` and is publicly embedded on every page that renders a Gravity Forms form, making it identical for all unauthenticated visitors within the same 12-hour nonce tick. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. This vulnerability cannot be exploited against users who are authenticated on the target system, but could be used to alter the target page.

Explanation of Vulnerability in Simple Terms

02Summary

Gravity Forms versions up to 2.9.30 contain a cross-site scripting (XSS) vulnerability that allows attackers to inject malicious scripts into web pages. The vulnerability requires user interaction and network access but does not require authentication. An attacker can craft a malicious link or page that, when visited by a site user, executes JavaScript in their browser context, potentially stealing session data or performing actions on their behalf.

What an attacker can do

03Attacker Capabilities

Inject and execute malicious JavaScript in a user's browser when they visit a crafted page or click a malicious link.

Potential impact on your site

04Site Impact

Site users' browsers can be compromised to steal cookies, session tokens, or perform unauthorized actions without their knowledge.

Conditions required to exploit

05Prerequisites

A site visitor must click a malicious link or visit an attacker-controlled page; no authentication required.

Key dates

06Disclosure timeline

April 7, 2026 CVE published
April 8, 2026 Record updated