Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

Gravity Forms — Vulnerabilities & Security Advisories 13

Browse all 13 CVE security advisories affecting Gravity Forms. AI-powered Chinese analysis, POCs, and references for each vulnerability.

Gravity Forms is a popular WordPress plugin for creating and managing forms, widely used for contact forms, surveys, and lead generation. Historically, it has been susceptible to multiple security vulnerabilities including remote code execution, cross-site scripting, and privilege escalation flaws. With 13 CVEs recorded, these issues have often stemmed from insufficient input validation and improper access controls. While no major public security incidents have been widely documented, the consistent discovery of vulnerabilities highlights the importance of maintaining updated versions and implementing proper security measures for users of this form-building solution.

Top products by Gravity Forms: Gravity Forms Gravity Forms WebHooks
CVE IDTitleCVSSSeverityPublished
CVE-2026-5110 Gravity Forms <= 2.10.0 - Unauthenticated Stored Cross-Site Scripting via Single Product Field Inside Repeater — Gravity FormsCWE-79 7.2 High2026-05-02
CVE-2026-5111 Gravity Forms <= 2.10.0 - Unauthenticated Stored Cross-Site Scripting via Hidden Product Field in Repeater — Gravity FormsCWE-79 7.2 High2026-05-02
CVE-2026-5112 Gravity Forms <= 2.10.0 - Unauthenticated Stored Cross-Site Scripting via Calculation Product Field in Repeater — Gravity FormsCWE-79 7.2 High2026-05-02
CVE-2026-5109 Gravity Forms <= 2.10.0 - Unauthenticated Stored Cross-Site Scripting via Product Option — Gravity FormsCWE-79 7.2 High2026-05-02
CVE-2026-5113 Gravity Forms <= 2.10.0 - Unauthenticated Stored Cross-Site Scripting via Consent Field Hidden Input — Gravity FormsCWE-79 7.2 High2026-05-02
CVE-2026-4406 Gravity Forms <= 2.9.30 - Reflected Cross-Site Scripting via 'form_ids' Parameter — Gravity FormsCWE-79 4.7 Medium2026-04-07
CVE-2026-4394 Gravity Forms <= 2.9.30 - Unauthenticated Stored Cross-Site Scripting via Credit Card 'Card Type' Sub-Field — Gravity FormsCWE-79 6.1 Medium2026-04-07
CVE-2026-3492 Gravity Forms <= 2.9.28.1 - Authenticated (Subscriber+) Stored Cross-Site Scripting via Form Title — Gravity FormsCWE-79 6.4 Medium2026-03-11
CVE-2025-12974 Gravity Forms <= 2.9.21.1 - Unauthenticated Arbitrary File Upload via Legacy Chunked Upload — Gravity FormsCWE-434 8.1 High2025-11-18
CVE-2025-12352 Gravity Forms <= 2.9.20 - Unauthenticated Arbitrary File Upload via 'copy_post_image' — Gravity FormsCWE-434 9.8 Critical2025-11-07
CVE-2024-13845 Gravity Forms WebHooks <= 1.6.0 - Authenticated (Admin+) Server-Side Request Forgery via Webhook — Gravity Forms WebHooksCWE-918 5.5 Medium2025-05-01
CVE-2024-13378 GravityForms 2.9.0.1 - 2.9.1.3 - Unauthenticated Stored Cross-Site Scripting via 'style_settings' parameter — Gravity FormsCWE-79 5.4 Medium2025-01-17
CVE-2024-13377 GravityForms <= 2.9.1.3 - Unauthenticated Stored Cross-Site Scripting via 'alt' parameter — Gravity FormsCWE-79 7.2 High2025-01-17

This page lists every published CVE security advisory associated with Gravity Forms. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.