Lucene search
K

6 matches found

EUVD
EUVD
added 2026/04/08 12:30 a.m.7 views

EUVD-2026-19994

The Gravity Forms plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the formids parameter in the gformgetconfig AJAX action in all versions up to, and including, 2.9.30. This is due to the GFCommon::sendjson method outputting JSON-encoded data wrapped in HTML comment...

4.7CVSS6.1AI score0.00356EPSS
Exploits0References7
NVD
NVD
added 2026/04/08 12:16 a.m.7 views

CVE-2026-4406

The Gravity Forms plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the formids parameter in the gformgetconfig AJAX action in all versions up to, and including, 2.9.30. This is due to the GFCommon::sendjson method outputting JSON-encoded data wrapped in HTML comment...

4.7CVSS0.00356EPSS
Exploits0References6
CNNVD
CNNVD
added 2026/04/08 12:0 a.m.7 views

WordPress plugin Gravity Forms 跨站脚本漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application extension. WordPres...

4.7CVSS5.7AI score0.00356EPSS
Exploits0References6
Cvelist
Cvelist
added 2026/04/07 11:25 p.m.23 views

CVE-2026-4406 Gravity Forms <= 2.9.30 - Reflected Cross-Site Scripting via 'form_ids' Parameter

The Gravity Forms plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the formids parameter in the gformgetconfig AJAX action in all versions up to, and including, 2.9.30. This is due to the GFCommon::sendjson method outputting JSON-encoded data wrapped in HTML comment...

4.7CVSS0.00356EPSS
Exploits0References6
CVE
CVE
added 2026/04/07 11:25 p.m.15 views

CVE-2026-4406

The CVE concerns Gravity Forms for WordPress (≤ 2.9.30) with a Reflected XSS in the gform_get_config AJAX action via the form_ids parameter. The root cause is that GFCommon::send_json() returns JSON wrapped in HTML comments using echo/wp_die(), sending a text/html header instead of application/js...

4.7CVSS6.1AI score0.00356EPSS
Exploits0References6
Positive Technologies
Positive Technologies
added 2026/04/07 12:0 a.m.5 views

PT-2026-31051

The Gravity Forms plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the form ids parameter in the gform get config AJAX action in all versions up to, and including, 2.9.30. This is due to the GFCommon::send json method outputting JSON-encoded data wrapped in HTML comment...

4.7CVSS6.1AI score0.00356EPSS
Exploits0References7
Rows per page
Query Builder