EUVD-2026-19990
GHSA-5pv5-mj98-fr8x
Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Lifecycle Timeline
3DescriptionCVE.org
The Gravity Forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Credit Card field's 'Card Type' sub-field (input_<id>.4) in all versions up to, and including, 2.9.30. This is due to the get_value_entry_detail() method in the GF_Field_CreditCard class outputting the card type value without escaping, combined with get_value_save_entry() accepting and storing unsanitized user input for the input_<id>.4 parameter. The Card Type field is not rendered on the frontend form (it is normally derived from the card number), but the backend submission parser blindly accepts it if included in the POST request. This makes it possible for unauthenticated attackers to inject arbitrary web scripts that execute when an administrator views the form entry in the WordPress dashboard.
AnalysisAI
Stored cross-site scripting in Gravity Forms plugin for WordPress up to version 2.9.30 allows unauthenticated attackers to inject malicious scripts via the Credit Card field's 'Card Type' sub-field. The vulnerability exploits a gap between frontend validation (Card Type is auto-derived from card number) and backend acceptance of unsanitized POST parameters, combined with unescaped output when administrators view form entries in the WordPress dashboard. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Vulnerability AssessmentAI
| Risk Assessment | This vulnerability presents moderate real-world risk despite the 6.1 CVSS score. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An unauthenticated attacker submits a credit card form on a vulnerable WordPress site, but instead of following the normal frontend flow, crafts a direct POST request with malicious JavaScript embedded in the Card Type sub-field parameter (e.g., `input_<id>.4=<img src=x onerror='steal_admin_cookies()'>`). The backend blindly accepts and stores this value. … |
| Remediation | Update Gravity Forms plugin to a patched version released after 2.9.30. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More from same product – last 7 days
The WP MAPS PRO WordPress plugin before 6.1.1 registers an unauthenticated AJAX action which, given a valid nonce that i
Remote code execution in UpdraftPlus: WP Backup & Migration Plugin for WordPress (versions ≤1.26.4) allows unauthenticat
The weMail: Email Marketing, Email Automation, Newsletters, Subscribers & Email Optins for WooCommerce WordPress plugin
The Taskbuilder WordPress plugin before 5.0.8 does not properly sanitise a URL parameter before echoing it into inline
Remote code execution in Edgar Rojas WooCommerce PDF Invoice Builder WordPress plugin (versions through 2.0.8) allows un
Share
External POC / Exploit Code
Leaving vuln.today