Gravity Forms Reflected Cross-Site Scripting Vulnerability

A reflected cross-site scripting vulnerability has been identified in the Gravity Forms plugin for WordPress, affecting all versions through 2.9.30. The issue arises in the 'gform_get_config' AJAX action, where the 'form_ids' parameter is processed. The vulnerability is caused by the 'GFCommon::send_json()' method, which incorrectly outputs JSON data wrapped in HTML comment delimiters. This misconfiguration serves the response with a 'Content-Type: text/html' header instead of 'application/json', allowing injected HTML or script tags in the 'form_ids' array values to be executed by the browser. The 'config_nonce' required for this action is publicly available on all pages with a Gravity Forms form, creating a window for unauthenticated attackers to inject scripts that could be executed if a user is tricked into interacting with the page.

Impact

Exploitation of this vulnerability allows for reflected cross-site scripting, where an attacker can inject and execute arbitrary scripts in the context of the user's browser.

Remediation

Users are advised to update the Gravity Forms plugin to version 2.9.31 or later.