CVE-2026-4406

Description

The Gravity Forms plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `form_ids` parameter in the `gform_get_config` AJAX action in all versions up to, and including, 2.9.30. This is due to the `GFCommon::send_json()` method outputting JSON-encoded data wrapped in HTML comment delimiters using `echo` and `wp_die()`, which serves the response with a `Content-Type: text/html` header instead of `application/json`. The `wp_json_encode()` function does not HTML-encode angle brackets within JSON string values, allowing injected HTML/script tags in `form_ids` array values to be parsed and executed by the browser. The required `config_nonce` is generated with `wp_create_nonce('gform_config_ajax')` and is publicly embedded on every page that renders a Gravity Forms form, making it identical for all unauthenticated visitors within the same 12-hour nonce tick. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. This vulnerability cannot be exploited against users who are authenticated on the target system, but could be used to alter the target page.

References

• https://docs.gravityforms.com/gravityforms-change-log/
• https://plugins.trac.wordpress.org/browser/gravityforms/trunk/common.php#L8267
• https://plugins.trac.wordpress.org/browser/gravityforms/trunk/includes/config/class-gf-config-collection.php#L56
• https://plugins.trac.wordpress.org/browser/gravityforms/trunk/includes/config/class-gf-config-service-provider.php#L144
• https://plugins.trac.wordpress.org/browser/gravityforms/trunk/includes/config/items/class-gf-config-global.php#L22