CVE-2026-4406

Name of the Vulnerable Software and Affected Versions Gravity Forms plugin for WordPress versions up to and including 2.9.30

Description The Gravity Forms plugin for WordPress is susceptible to Reflected Cross-Site Scripting through the form ids parameter within the gform get config AJAX action. This occurs because the GFCommon::send json() method outputs JSON-encoded data wrapped in HTML comment delimiters using echo and wp die(), resulting in a Content-Type: text/html header instead of application/json. The wp json encode() function does not HTML-encode angle brackets within JSON string values, enabling the injection and execution of HTML/script tags in form ids array values by the browser. The config nonce is publicly embedded on every page that renders a Gravity Forms form, making it identical for all unauthenticated visitors within the same 12-hour nonce tick. This allows unauthenticated attackers to inject arbitrary web scripts into pages that execute if they can trick a user into performing an action. This issue does not affect authenticated users.

Recommendations For versions up to and including 2.9.30, ensure proper input sanitization and output encoding for the form ids parameter in the gform get config AJAX action. Verify that the Content-Type header is set to application/json when returning JSON data. Consider implementing stricter nonce validation or rotating nonces more frequently.