Platform
wordpress
Component
gravityforms
Fixed in
2.9.29
CVE-2026-3492 describes a Stored Cross-Site Scripting (XSS) vulnerability affecting Gravity Forms, a popular WordPress plugin. This vulnerability allows authenticated users to inject malicious scripts that can be executed in the browsers of other users. The vulnerability impacts versions 0.0.0 through 2.9.28.1, and a fix is available in version 2.9.29.
Successful exploitation of CVE-2026-3492 allows an attacker to execute arbitrary JavaScript code within the context of another user's browser session. This can lead to account takeover, data theft (including sensitive information entered into forms), and defacement of the WordPress site. The vulnerability stems from a combination of factors: unauthorized form creation via the createfromtemplate endpoint, insufficient sanitization of form titles, and a lack of proper output escaping when rendering the form title in the Form Switcher dropdown. An attacker could craft a malicious form template that, when created by an authenticated user, would inject a script that steals cookies or redirects users to a phishing site.
CVE-2026-3492 was published on March 11, 2026. Severity is rated as Medium (CVSS 6.4). No public exploits or active campaigns have been reported at this time. The vulnerability's reliance on authenticated users limits its immediate exploitability but highlights the importance of strong user access controls and regular plugin updates.
Exploit Status
EPSS
0.03% (9% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-3492 is to upgrade Gravity Forms to version 2.9.29 or later. If immediate upgrading is not possible, consider implementing temporary workarounds. Restrict access to the createfromtemplate AJAX endpoint to authorized users only. Implement stricter input validation and sanitization on all user-supplied data, particularly form titles. Consider using a Web Application Firewall (WAF) with XSS filtering rules to block malicious requests. Review existing Gravity Forms configurations for any unusual or suspicious form templates.
Update to version 2.9.29, or a newer patched version
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-3492 is a Stored Cross-Site Scripting vulnerability in the Gravity Forms WordPress plugin, allowing authenticated users to inject malicious scripts. It affects versions 0.0.0–2.9.28.1.
If you are using Gravity Forms version 0.0.0 through 2.9.28.1 on your WordPress site, you are potentially affected by this XSS vulnerability.
Upgrade Gravity Forms to version 2.9.29 or later to resolve the vulnerability. Implement temporary workarounds like restricting access to the form creation endpoint if immediate upgrading isn't possible.
As of the current assessment, there are no reports of CVE-2026-3492 being actively exploited in the wild, but it's crucial to apply the patch promptly.
Refer to the official Gravity Forms website and WordPress security announcements for the latest information and advisory regarding CVE-2026-3492: [https://gravityforms.com/news/security/](https://gravityforms.com/news/security/)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.