Description
The Gravity Forms plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `form_ids` parameter in the `gform_get_config` AJAX action in all versions up to, and including, 2.9.30. This is due to the `GFCommon::send_json()` method outputting JSON-encoded data wrapped in HTML comment delimiters using `echo` and `wp_die()`, which serves the response with a `Content-Type: text/html` header instead of `application/json`. The `wp_json_encode()` function does not HTML-encode angle brackets within JSON string values, allowing injected HTML/script tags in `form_ids` array values to be parsed and executed by the browser. The required `config_nonce` is generated with `wp_create_nonce('gform_config_ajax')` and is publicly embedded on every page that renders a Gravity Forms form, making it identical for all unauthenticated visitors within the same 12-hour nonce tick. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. This vulnerability cannot be exploited against users who are authenticated on the target system, but could be used to alter the target page.
INFO
Published Date :
2026-04-07T23:25:27.669Z
Last Modified :
2026-04-08T16:48:35.829Z
Source :
Wordfence
AFFECTED PRODUCTS
The following products are affected by CVE-2026-4406 vulnerability.
| Vendors | Products |
|---|---|
| Gravityforms |
|
| Wordpress |
|
REFERENCES
Here, you will find a curated list of external links that provide in-depth information to CVE-2026-4406.
