CVE-2026-4394

Name of the Vulnerable Software and Affected Versions Gravity Forms plugin for WordPress versions up to and including 2.9.30

Description The Gravity Forms plugin for WordPress is susceptible to Stored Cross-Site Scripting through the Credit Card field's 'Card Type' sub-field (input <id>.4). This occurs because the get value entry detail() method in the GF Field CreditCard class outputs the card type value without proper escaping, and the get value save entry() method accepts and stores unsanitized user input for the input <id>.4 parameter. The Card Type field, while not typically displayed on the frontend form, is processed by the backend submission parser if included in the POST request, allowing unauthenticated attackers to inject malicious web scripts that execute when an administrator views the form entry in the WordPress dashboard.

Recommendations Update Gravity Forms to a version later than 2.9.30.