CVE-2026-4406

The Gravity Forms plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the form ids parameter in the gform get config AJAX action in all versions up to, and including, 2.9.30. This is due to the GFCommon::send json() method outputting JSON-encoded data wrapped in HTML comment delimiters using echo and wp die(), which serves the response with a Content-Type: text/html header instead of application/json. The wp json encode() function does not HTML-encode angle brackets within JSON string values, allowing injected HTML/script tags in form ids array values to be parsed and executed by the browser. The required config nonce is generated with wp create nonce('gform config ajax') and is publicly embedded on every page that renders a Gravity Forms form, making it identical for all unauthenticated visitors within the same 12-hour nonce tick. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. This vulnerability cannot be exploited against users who are authenticated on the target system, but could be used to alter the target page.