Plattform
wordpress
Komponente
gravityforms
Behoben in
2.9.29
CVE-2026-3492 describes a Stored Cross-Site Scripting (XSS) vulnerability affecting Gravity Forms, a popular WordPress plugin. This vulnerability allows authenticated users to inject malicious scripts that can be executed in the browsers of other users. The vulnerability impacts versions 0.0.0 through 2.9.28.1, and a fix is available in version 2.9.29.
The XSS vulnerability in Gravity Forms arises from a combination of factors. Firstly, the createfromtemplate AJAX endpoint lacks proper authorization checks, enabling any authenticated user to create forms. Secondly, the sanitizetextfield() function fails to adequately sanitize input, allowing single quotes to persist. Finally, the form title, displayed in the Form Switcher dropdown, is not properly escaped when rendered, creating a vulnerable point for script injection. An attacker could leverage this to inject JavaScript code that executes in the context of other users viewing the Form Switcher, potentially stealing session cookies or redirecting users to malicious websites. The blast radius extends to all users who interact with the Form Switcher.
CVE-2026-3492 was publicly disclosed on 2026-03-11. No public proof-of-concept (PoC) code has been released at the time of writing, but the vulnerability's nature and ease of exploitation suggest a potential for rapid exploitation. The vulnerability is not currently listed on the CISA KEV catalog. The combination of an authenticated attack vector and the potential for widespread impact warrants careful monitoring.
Exploit-Status
EPSS
0.03% (9% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2026-3492 is to immediately upgrade Gravity Forms to version 2.9.29 or later. If upgrading is not immediately feasible due to compatibility issues, consider restricting access to the createfromtemplate endpoint to authorized users only. While not a complete fix, implementing a Web Application Firewall (WAF) rule to filter potentially malicious input in the form title field can provide an additional layer of defense. Regularly review and audit form templates for any suspicious code.
Aktualisieren Sie auf Version 2.9.29 oder eine neuere gepatchte Version
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-3492 is a Stored Cross-Site Scripting vulnerability in the Gravity Forms WordPress plugin, allowing authenticated users to inject malicious scripts. It affects versions 0.0.0–2.9.28.1.
If you are using Gravity Forms version 0.0.0 through 2.9.28.1 on your WordPress site, you are potentially affected by this XSS vulnerability.
Upgrade Gravity Forms to version 2.9.29 or later to resolve the vulnerability. Implement temporary workarounds like restricting access to the form creation endpoint if immediate upgrading isn't possible.
As of the current assessment, there are no reports of CVE-2026-3492 being actively exploited in the wild, but it's crucial to apply the patch promptly.
Refer to the official Gravity Forms website and WordPress security announcements for the latest information and advisory regarding CVE-2026-3492: [https://gravityforms.com/news/security/](https://gravityforms.com/news/security/)
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.