Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2026-04-08
CVE-2026-4394 - Gravity Forms Plugin
The Gravity Forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Credit Card field's 'Card Type' sub-field (`input_.4`) in all versions up to, and including, 2.9.30. This is due to the `get_value_entry_detail()` method in the `GF_Field_CreditCard` class outputting the card type value without escaping, combined with `get_value_save_entry()` accepting and storing unsanitized user input for the `input_.4` parameter. The Card Type field is not rendered on the frontend form (it is normally derived from the card number), but the backend submission parser blindly accepts it if included in…
PLUGIN
Gravity Forms
CVE-2026-4394
Risk Score
Threat Entry
Updated 2026-04-08
CVE-2026-4406 - Gravity Forms Plugin
The Gravity Forms plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `form_ids` parameter in the `gform_get_config` AJAX action in all versions up to, and including, 2.9.30. This is due to the `GFCommon::send_json()` method outputting JSON-encoded data wrapped in HTML comment delimiters using `echo` and `wp_die()`, which serves the response with a `Content-Type: text/html` header instead of `application/json`. The `wp_json_encode()` function does not HTML-encode angle brackets within JSON string values, allowing injected HTML/script tags in `form_ids` array values to be parsed and executed by the browser. The required…
PLUGIN
Gravity Forms
CVE-2026-4406
Risk Score
Threat Entry
Updated 2026-03-11
CVE-2026-3492 - Gravity Forms Plugin
The Gravity Forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 2.9.28.1. This is due to a compound failure involving missing authorization on the `create_from_template` AJAX endpoint (allowing any authenticated user to create forms), insufficient input sanitization (`sanitize_text_field()` preserves single quotes), and missing output escaping when the form title is rendered in the Form Switcher dropdown (`title` attribute constructed without `esc_attr()`, and JavaScript `saferHtml` utility only escapes `&`, `` but not quotes). This makes it possible for authenticated attackers, with Subscriber-level access…
PLUGIN
Gravity Forms
CVE-2026-3492
Risk Score
Threat Entry
Updated 2025-12-29
CVE-2025-13407 - Gravity Forms Plugin
The Gravity Forms WordPress plugin before 2.9.23.1 does not properly prevent users from uploading dangerous files through its chunked upload functionality, allowing attackers to upload PHP files to affected sites and achieve Remote Code Execution, granted they can discover or enumerate the upload path.
PLUGIN
Gravity Forms
CVE-2025-13407
Risk Score
Threat Entry
Updated 2025-11-18
CVE-2025-12974 - Gravity Forms Plugin
The Gravity Forms plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the legacy chunked upload mechanism in all versions up to, and including, 2.9.21.1. This is due to the extension blacklist not including .phar files, which can be uploaded through the chunked upload mechanism. This makes it possible for unauthenticated attackers to upload executable .phar files and achieve remote code execution on the server, granted they can discover or enumerate the upload path. In order for an attacker to achieve RCE, the…
PLUGIN
Gravity Forms
CVE-2025-12974
Risk Score
Threat Entry
Updated 2025-11-12
CVE-2025-12352 - Gravity Forms Plugin
The Gravity Forms plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the copy_post_image() function in all versions up to, and including, 2.9.20. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. This only impacts sites that have allow_url_fopen set to `On`, the post creation form enabled along with a file upload field for the post
PLUGIN
Gravity Forms
CVE-2025-12352
Risk Score
Threat Entry
Updated 2025-01-17
CVE-2024-13377 - Gravity Forms Plugin
The Gravity Forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘alt’ parameter in all versions up to, and including, 2.9.1.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Gravity Forms
CVE-2024-13377
Risk Score
Threat Entry
Updated 2025-01-17
CVE-2024-13378 - Gravity Forms Plugin
The Gravity Forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘style_settings’ parameter in versions 2.9.0.1 up to, and including, 2.9.1.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The attack is only successful in the Chrome web browser, and requires directly browsing the media file via the attachment post.
PLUGIN
Gravity Forms
CVE-2024-13378
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-2701 - Gravity Forms Plugin
The Gravity Forms WordPress plugin before 2.7.5 does not escape generated URLs before outputting them in attributes, leading to Reflected Cross-Site Scripting which could be used against high-privileged users such as admin.
PLUGIN
Gravity Forms
CVE-2023-2701
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-2706 - Gravity Forms Plugin
The OTP Login Woocommerce & Gravity Forms plugin for WordPress is vulnerable to authentication bypass. This is due to the fact that when generating OTP codes for users to use in order to login via phone number, the plugin returns these codes in an AJAX response. This makes it possible for unauthenticated attackers to obtain login codes for administrators. This does require an attacker have access to the phone number configured for an account, which can be obtained via social engineering or reconnaissance.
PLUGIN
Gravity Forms
CVE-2023-2706
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-3154 - Gravity Forms Plugin
The Woo Billingo Plus WordPress plugin before 4.4.5.4, Integration for Billingo & Gravity Forms WordPress plugin before 1.0.4, Integration for Szamlazz.hu & Gravity Forms WordPress plugin before 1.2.7 are lacking CSRF checks in various AJAX actions, which could allow attackers to make logged in Shop Managers and above perform unwanted actions, such as deactivate the plugin's license
PLUGIN
Gravity Forms
CVE-2022-3154
Risk Score