EUVD-2026-19990
GHSA-5pv5-mj98-fr8x
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Lifecycle Timeline
3Description
The Gravity Forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Credit Card field's 'Card Type' sub-field (`input_<id>.4`) in all versions up to, and including, 2.9.30. This is due to the `get_value_entry_detail()` method in the `GF_Field_CreditCard` class outputting the card type value without escaping, combined with `get_value_save_entry()` accepting and storing unsanitized user input for the `input_<id>.4` parameter. The Card Type field is not rendered on the frontend form (it is normally derived from the card number), but the backend submission parser blindly accepts it if included in the POST request. This makes it possible for unauthenticated attackers to inject arbitrary web scripts that execute when an administrator views the form entry in the WordPress dashboard.
Analysis
Stored cross-site scripting in Gravity Forms plugin for WordPress up to version 2.9.30 allows unauthenticated attackers to inject malicious scripts via the Credit Card field's 'Card Type' sub-field. The vulnerability exploits a gap between frontend validation (Card Type is auto-derived from card number) and backend acceptance of unsanitized POST parameters, combined with unescaped output when administrators view form entries in the WordPress dashboard. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today