What is the CVSS score of CVE-2026-4406?

CVE-2026-4406 has a CVSS 3.1 base score of 4.7 (Medium). CVSS vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N. EPSS exploitation probability: 0.1%.

Is there a public PoC exploit available for CVE-2026-4406?

Yes, a public proof-of-concept exploit is available for CVE-2026-4406. Prioritise patching immediately. EPSS: 0.1%.

WordPress CVE-2026-4406

EUVD-2026-19994 MEDIUM

Cross-site Scripting (XSS) (CWE-79)

2026-04-08 security@wordfence.com

GHSA-m698-rpjv-64j7

WordPress XSS

4.7

CVSS 3.1 · NVD

Severity by source

NVD PRIMARY

4.7 MEDIUM

AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

Required

Scope

Changed

Confidentiality

Low

Integrity

Low

Availability

None

Lifecycle Timeline

EUVD ID Assigned

Apr 08, 2026 - 00:22 euvd

EUVD-2026-19994

Analysis Generated

Apr 08, 2026 - 00:22 vuln.today

CVE Published

Apr 08, 2026 - 00:16 nvd

MEDIUM 4.7

DescriptionCVE.org

The Gravity Forms plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the form_ids parameter in the gform_get_config AJAX action in all versions up to, and including, 2.9.30. This is due to the GFCommon::send_json() method outputting JSON-encoded data wrapped in HTML comment delimiters using echo and wp_die(), which serves the response with a Content-Type: text/html header instead of application/json. The wp_json_encode() function does not HTML-encode angle brackets within JSON string values, allowing injected HTML/script tags in form_ids array values to be parsed and executed by the browser. The required config_nonce is generated with wp_create_nonce('gform_config_ajax') and is publicly embedded on every page that renders a Gravity Forms form, making it identical for all unauthenticated visitors within the same 12-hour nonce tick. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. This vulnerability cannot be exploited against users who are authenticated on the target system, but could be used to alter the target page.

AnalysisAI

Reflected cross-site scripting in Gravity Forms plugin for WordPress versions up to 2.9.30 allows unauthenticated attackers to inject arbitrary web scripts via the form_ids parameter in the gform_get_config AJAX action. The vulnerability exploits improper JSON encoding combined with HTML content-type headers and publicly reusable nonces; attackers can craft malicious links that, when clicked by users, execute injected scripts on vulnerable pages. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Vulnerability AssessmentAI

Risk Assessment	CVSS 4.7 with vector AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N reflects network-accessible attack requiring high complexity (trick user via link), no privileges, user interaction (click), and limited confidentiality and integrity impact across scope. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An attacker crafts a malicious URL containing specially crafted form_ids parameter values with injected script tags (e.g., form_ids[]=<script>alert('xss')</script>) and shares it via email or social media. When an unauthenticated user clicks the link on a page with a Gravity Forms form, the browser parses the HTML-served JSON response, executes the injected script, and could steal session cookies, redirect to phishing sites, or perform actions on behalf of the user. …
Remediation	Upgrade Gravity Forms plugin to version 2.9.31 or later, which addresses the JSON encoding and content-type handling issues in the gform_get_config AJAX action. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-8935 CRITICAL Act Now POC

9.8 Jun 15

The WP MAPS PRO WordPress plugin before 6.1.1 registers an unauthenticated AJAX action which, given a valid nonce that i

CVE-2026-10795 HIGH This Week POC

8.1 Jun 11

Remote code execution in UpdraftPlus: WP Backup & Migration Plugin for WordPress (versions ≤1.26.4) allows unauthenticat

CVE-2026-8089 HIGH This Week POC

7.1 Jun 17

The weMail: Email Marketing, Email Automation, Newsletters, Subscribers & Email Optins for WooCommerce WordPress plugin

CVE-2026-9570 HIGH This Week POC

7.1 Jun 17

The Taskbuilder WordPress plugin before 5.0.8 does not properly sanitise a URL parameter before echoing it into inline

CVE-2026-52704 CRITICAL Act Now

10.0 Jun 15

Remote code execution in Edgar Rojas WooCommerce PDF Invoice Builder WordPress plugin (versions through 2.0.8) allows un

CVE-2026-4406 vulnerability details – vuln.today

Back