CVE-2026-3492

Vulnerability

Overview

The Gravity Forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) in all versions up to and including 2.9.28.1. The root cause is a compound failure: the create_from_template AJAX endpoint lacks authorization checks, allowing any authenticated user (Subscriber-level and above) to create forms. Additionally, the plugin uses sanitize_text_field() which preserves single quotes, and the form title is rendered in the Form Switcher dropdown without proper output escaping. The title attribute is constructed without esc_attr(), and the JavaScript saferHtml utility only escapes &, <, > but not quotes, enabling injection of arbitrary JavaScript.

Exploitation

An authenticated attacker with Subscriber-level access can create a form with a malicious title containing JavaScript payloads. When an Administrator searches in the Form Switcher dropdown in the Form Editor, the injected script executes in the context of the admin's session. This attack requires no special privileges beyond a basic user account and leverages the lack of authorization on the form creation endpoint.

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the browser of an Administrator. This can lead to session hijacking, defacement, or theft of sensitive information within the WordPress admin context. The vulnerability. The attack is stored, meaning the payload persists until the form is deleted or the plugin is updated.

Mitigation

The vulnerability is patched in version 2.10.2, as indicated in the Gravity Forms changelog [1]. Users are strongly advised to update to the latest version. No workaround is available; updating is the only complete fix.