CVE-2026-4406 - Vulnerability Analysis
MediumCVSS: 4.7Last Updated: April 8, 2026
Gravity Forms - Reflected XSS
Published: April 8, 2026Updated: April 8, 2026PoC AvailableRemote Exploitable
Overview
Gravity Forms WordPress plugin <= 2.9.30 contains a reflected cross-site scripting caused by improper JSON response handling in gform_get_config AJAX action, letting unauthenticated attackers inject scripts via form_ids parameter, exploit requires user interaction.
Severity & Score
Severity: Medium
CVSS Score: 4.7
Impact
Unauthenticated attackers can inject and execute scripts in victim browsers, potentially altering page content or stealing user data.
Mitigation
Update to a version later than 2.9.30 or the latest available version.
References
- https://plugins.trac.wordpress.org/browser/gravityforms/trunk/common.php#L8267
- https://plugins.trac.wordpress.org/browser/gravityforms/trunk/includes/config/class-gf-config-collection.php#L56
- https://plugins.trac.wordpress.org/browser/gravityforms/trunk/includes/config/class-gf-config-service-provider.php#L144
- https://plugins.trac.wordpress.org/browser/gravityforms/trunk/includes/config/items/class-gf-config-global.php#L22
- https://www.wordfence.com/threat-intel/vulnerabilities/id/4126d452-65a9-48f5-a3f5-5be1b8fff80c?source=cve
- https://docs.gravityforms.com/gravityforms-change-log/
Related Resources
Details
- CVE ID
- CVE-2026-4406
- Severity
- Medium
- CVSS Score
- 4.7
- Type
- reflected_xss
- Status
- new
CWE
- CWE-79
CVSS Metrics
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N