CVE-2026-4394
Description
The Gravity Forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Credit Card field's 'Card Type' sub-field (input_.4) in all versions up to, and including, 2.9.30. This is due to the get_value_entry_detail() method in the GF_Field_CreditCard class outputting the card type value without escaping, combined with get_value_save_entry() accepting and storing unsanitized user input for the input_.4 parameter. The Card Type field is not rendered on the frontend form (it is normally derived from the card number), but the backend submission parser blindly accepts it if included in the POST request. This makes it possible for unauthenticated attackers to inject arbitrary web scripts that execute when an administrator views the form entry in the WordPress dashboard.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Stored XSS in Gravity Forms via Credit Card field allows unauthenticated attackers to execute scripts in admin dashboard.
The Gravity Forms plugin for WordPress versions up to 2.9.30 contains a stored cross-site scripting vulnerability in the Credit Card field's Card Type sub-field (input_.4). The get_value_entry_detail() method outputs the card type value without escaping, while get_value_save_entry() accepts and stores unsanitized user input for this parameter [1]. Although the Card Type field is not displayed on the frontend form (it is normally derived from the card number), the backend submission parser blindly processes it if included in the POST request.
An unauthenticated attacker can exploit this vulnerability by submitting a form with a crafted POST parameter containing malicious JavaScript in the card type value. Since the field is not rendered on the frontend, the attacker simply sends a direct POST request with the malicious input. When an administrator later views the entry in the WordPress dashboard, the injected script executes in the context of the admin's session.
This stored XSS can lead to various malicious actions, such as stealing administrative cookies, performing actions as the admin, or redirecting to malicious sites. The impact is limited to the administrative interface but poses a significant risk due to elevated privileges.
The vendor has addressed this vulnerability in subsequent releases, as indicated by security enhancements in version 2.10.2 and earlier (see [1]). Users are strongly advised to update to the latest version of Gravity Forms to mitigate this and other potential vulnerabilities.
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
6- docs.gravityforms.com/gravityforms-change-log/nvd
- plugins.trac.wordpress.org/browser/gravityforms/tags/2.9.25/includes/fields/class-gf-field-creditcard.phpnvd
- plugins.trac.wordpress.org/browser/gravityforms/tags/2.9.25/includes/fields/class-gf-field-creditcard.phpnvd
- plugins.trac.wordpress.org/browser/gravityforms/trunk/includes/fields/class-gf-field-creditcard.phpnvd
- plugins.trac.wordpress.org/browser/gravityforms/trunk/includes/fields/class-gf-field-creditcard.phpnvd
- www.wordfence.com/threat-intel/vulnerabilities/id/6f38d7b7-6df6-47a2-a9ba-87ef1f039e44nvd
News mentions
1- Wordfence Intelligence Weekly WordPress Vulnerability Report (April 6, 2026 to April 12, 2026)Wordfence Blog · Apr 16, 2026