CVE-2026-3492

Name of the Vulnerable Software and Affected Versions Gravity Forms versions prior to 2.9.28.1

Description The Gravity Forms plugin for WordPress is susceptible to Stored Cross-Site Scripting. This is caused by a combination of issues: missing authorization on the create from template API endpoint, which allows any authenticated user to create forms; inadequate input sanitization using sanitize text field(), which allows single quotes; and a lack of output escaping when the form title is displayed in the Form Switcher dropdown, where the title attribute is constructed without esc attr(), and the JavaScript saferHtml utility does not escape quotes. This allows authenticated attackers with Subscriber-level access or higher to inject arbitrary JavaScript that will execute when an Administrator searches within the Form Switcher dropdown in the Form Editor.

Recommendations Update Gravity Forms to version 2.9.28.1 or later.