CVE-2026-4406

The Gravity Forms plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the formids parameter in the gformgetconfig AJAX action in all versions up to, and including, 2.9.30. This is due to the GFCommon::sendjson method outputting JSON-encoded data wrapped in HTML comment...

CVE-2026-4394

The Gravity Forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Credit Card field's 'Card Type' sub-field input.4 in all versions up to, and including, 2.9.30. This is due to the getvalueentrydetail method in the GFFieldCreditCard class outputting the card type value...

WordPress plugin Everest Forms 代码问题漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application extension. There is...

PT-2026-31067

Name of the Vulnerable Software and Affected Versions Everest Forms plugin for WordPress versions up to and including 3.4.3 Description The Everest Forms plugin for WordPress is susceptible to PHP Object Injection due to the unsafe deserialization of untrusted input from form entry metadata. The...

WordPress plugin Gravity Forms 跨站脚本漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application extension. WordPres...

WordPress plugin Magic Conversation For Gravity Forms 跨站脚本漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application that can be install...

WordPress plugin leadlovers forms 安全漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application that can be install...

PT-2026-31112

Name of the Vulnerable Software and Affected Versions The Magic Conversation For Gravity Forms plugin for WordPress versions up to and including 3.0.97 Description The Magic Conversation For Gravity Forms plugin for WordPress is susceptible to Stored Cross-Site Scripting through the...

PT-2026-31220

Missing Authorization vulnerability in leadlovers leadlovers forms leadlovers-forms allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects leadlovers forms: from n/a through = 1.0.2...

WordPress plugin Gravity Forms 跨站脚本漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application extension. WordPres...

CVE-2026-4394 Gravity Forms <= 2.9.30 - Unauthenticated Stored Cross-Site Scripting via Credit Card 'Card Type' Sub-Field

The Gravity Forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Credit Card field's 'Card Type' sub-field input.4 in all versions up to, and including, 2.9.30. This is due to the getvalueentrydetail method in the GFFieldCreditCard class outputting the card type value...

CVE-2026-4394

Gravity Forms for WordPress (&lt;= 2.9.30) is vulnerable to unauthenticated stored XSS via the Credit Card field’s Card Type sub-field (input_.4). The get_value_entry_detail() method outputs the card type value without escaping, while get_value_save_entry() accepts and stores unsanitized input fo...

CVE-2026-4394 Gravity Forms <= 2.9.30 - Unauthenticated Stored Cross-Site Scripting via Credit Card 'Card Type' Sub-Field

The Gravity Forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Credit Card field's 'Card Type' sub-field input.4 in all versions up to, and including, 2.9.30. This is due to the getvalueentrydetail method in the GFFieldCreditCard class outputting the card type value...

CVE-2026-4406 Gravity Forms <= 2.9.30 - Reflected Cross-Site Scripting via 'form_ids' Parameter

The Gravity Forms plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the formids parameter in the gformgetconfig AJAX action in all versions up to, and including, 2.9.30. This is due to the GFCommon::sendjson method outputting JSON-encoded data wrapped in HTML comment...

CVE-2026-4406

The CVE concerns Gravity Forms for WordPress (≤ 2.9.30) with a Reflected XSS in the gform_get_config AJAX action via the form_ids parameter. The root cause is that GFCommon::send_json() returns JSON wrapped in HTML comments using echo/wp_die(), sending a text/html header instead of application/js...

CVE-2026-4406 Gravity Forms <= 2.9.30 - Reflected Cross-Site Scripting via 'form_ids' Parameter

The Gravity Forms plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the formids parameter in the gformgetconfig AJAX action in all versions up to, and including, 2.9.30. This is due to the GFCommon::sendjson method outputting JSON-encoded data wrapped in HTML comment...

GHSA-FMWG-QCQH-M992 Gotenberg Vulnerable to ReDoS via extraHttpHeaders scope feature

Summary Gotenberg uses dlclark/regexp2 to compile user-supplied scope patterns without setting a proper timeout. Users with access to features using this logic can hang workers indefinitely. Details Gotenberg uses dlclark/regexp2 to compile user-supplied scope patterns...

DEBIAN-CVE-2026-4292

An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30. Admin changelist forms using ModelAdmin.listeditable incorrectly allowed new instances to be created via forged POST data. Earlier, unsupported Django series such as 5.0.x, 4.1.x, and 3.2.x were not evaluated a...

WordPress Ninja Forms - File Upload plugin <= 3.3.26 - Unauthenticated Arbitrary File Upload vulnerability

WordPress Ninja Forms - File Upload plugin = 3.3.26 - Unauthenticated Arbitrary File Upload vulnerability discovered by Sélim Lanouar whattheslime in WordPress Plugin Ninja Forms File Uploads Extension versions = 3.3.26...

EUVD-2026-19572

The Ninja Forms - File Uploads plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'NFFUAJAXControllersUploads::handleupload' function in all versions up to, and including, 3.3.26. This makes it possible for unauthenticated attackers to upload...