Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

Gravity Forms — Vulnerabilities & Security Advisories 14

All 14 CVE vulnerabilities found in Gravity Forms, with AI-generated Chinese analysis, references, and POCs.

Vendor: Rocketgenius Inc.

CVE IDTitleCVSSSeverityPublished
CVE-2026-5110 Gravity Forms <= 2.10.0 - Unauthenticated Stored Cross-Site Scripting via Single Product Field Inside Repeater CWE-79 7.2 High2026-05-02
CVE-2026-5111 Gravity Forms <= 2.10.0 - Unauthenticated Stored Cross-Site Scripting via Hidden Product Field in Repeater CWE-79 7.2 High2026-05-02
CVE-2026-5112 Gravity Forms <= 2.10.0 - Unauthenticated Stored Cross-Site Scripting via Calculation Product Field in Repeater CWE-79 7.2 High2026-05-02
CVE-2026-5109 Gravity Forms <= 2.10.0 - Unauthenticated Stored Cross-Site Scripting via Product Option CWE-79 7.2 High2026-05-02
CVE-2026-5113 Gravity Forms <= 2.10.0 - Unauthenticated Stored Cross-Site Scripting via Consent Field Hidden Input CWE-79 7.2 High2026-05-02
CVE-2026-4406 Gravity Forms <= 2.9.30 - Reflected Cross-Site Scripting via 'form_ids' Parameter CWE-79 4.7 Medium2026-04-07
CVE-2026-4394 Gravity Forms <= 2.9.30 - Unauthenticated Stored Cross-Site Scripting via Credit Card 'Card Type' Sub-Field CWE-79 6.1 Medium2026-04-07
CVE-2026-3492 Gravity Forms <= 2.9.28.1 - Authenticated (Subscriber+) Stored Cross-Site Scripting via Form Title CWE-79 6.4 Medium2026-03-11
CVE-2025-13407 GravityForms < 2.9.23.1 - Unauthenticated Arbitrary File Upload 9.8AICriticalAI2025-12-24
CVE-2025-12974 Gravity Forms <= 2.9.21.1 - Unauthenticated Arbitrary File Upload via Legacy Chunked Upload CWE-434 8.1 High2025-11-18
CVE-2025-12352 Gravity Forms <= 2.9.20 - Unauthenticated Arbitrary File Upload via 'copy_post_image' CWE-434 9.8 Critical2025-11-07
CVE-2024-13378 GravityForms 2.9.0.1 - 2.9.1.3 - Unauthenticated Stored Cross-Site Scripting via 'style_settings' parameter CWE-79 5.4 Medium2025-01-17
CVE-2024-13377 GravityForms <= 2.9.1.3 - Unauthenticated Stored Cross-Site Scripting via 'alt' parameter CWE-79 7.2 High2025-01-17
CVE-2023-28782 WordPress Gravity Forms Plugin <= 2.7.3 is vulnerable to PHP Object Injection CWE-502 8.3 High2023-12-20

All 14 known CVE vulnerabilities affecting Gravity Forms with full Chinese analysis, references, and POCs where available.