If you find suspicious stored entries, do not immediately delete them without planning: save a copy for forensic analysis, then clean or restore from a known-good backup.

If you think your site was already compromised — recovery checklist

1. Put the site in maintenance mode to stop further harm to visitors.
2. Immediately update Gravity Forms to 2.9.29 or the latest available version.
3. Apply layered protections (edge WAF rules, server-level checks) to block re-exploitation attempts while you investigate.
4. Rotate all administrative passwords and API keys (WordPress salts, OAuth tokens, third-party API keys).
5. Force a password reset for all users with elevated privileges.
6. Remove any malicious form titles, injected content, or backdoor files. Prefer restoration from a clean backup when possible.
7. Check user accounts for suspicious new admin/editor users and remove them.
8. Scan the site with a trusted malware scanner and check file integrity versus a clean baseline.
9. Audit logs to identify the timeframe of compromise and any actions taken by the attacker.
10. Harden the site post-recovery:
    • Enforce 2FA
    • Disable plugin/theme editing via the dashboard (DISALLOW_FILE_EDIT)
    • Review and correct file and directory permissions
    • Keep all components updated

If you lack in-house capability, engage a professional incident response service that can preserve evidence and remediate safely.

Long-term hardening — beyond this vulnerability

To reduce the impact of similar vulnerabilities in the future, adopt layered defenses:

• Keep all plugins, themes, and WordPress core up to date.
• Reduce the number of active plugins and only use reputable, actively maintained plugins.
• Use the principle of least privilege: only give users the capabilities they need. Prevent subscribers from creating forms unless business requirements require it.
• Consider managed WAF or virtual patching as one layer to block exploit attempts while you test patches.
• Implement strict Content Security Policy (CSP) and X-Frame-Options headers.
• Require two-factor authentication for all privileged accounts.
• Maintain regular backups and validate restore procedures.
• Monitor and alert on changes to key tables, admin accounts, and new plugin/theme file modifications.
• Conduct periodic security reviews and penetration tests for critical sites.

Recommended operational checklist for WordPress admins (step-by-step)

1. Immediately:
   • Update Gravity Forms to 2.9.29+
   • Apply edge rules or virtual patches where available if update must be delayed
2. Within 24 hours:
   • Scan site for suspicious form titles and database entries; quarantine or restore from clean backups
   • Force password reset for admin users
   • Enable 2FA and review user roles and capabilities
3. Within 72 hours:
   • Inspect server logs for suspicious POST requests to Gravity Forms or admin endpoints
   • Apply CSP and additional HTTP security headers
   • Schedule a full site backup and verify recovery
4. Within 2 weeks:
   • Review plugin inventory; remove unused plugins
   • Schedule security audit and penetration test for high-traffic or high-value sites
   • Enforce a regular patching cadence (weekly or monthly depending on criticality)

Developer guidance (how to patch defensively in your code)

If you maintain custom code that interacts with Gravity Forms or form metadata, follow these secure-coding practices:

• Always escape output at rendering time: use esc_html(), esc_attr() or wp_kses_post() as appropriate.
• Sanitize input on save: for titles and admin-entered content, strip tags or apply controlled allowlists.
• Use Gravity Forms filters to sanitize or validate form titles on save: add a server-side filter that strips any tags or JavaScript before the form_title is persisted.
• Avoid storing raw HTML or script within meta fields that will be rendered directly.
• Treat any user-supplied text as untrusted data.

Example (conceptual) filter to sanitize form titles before save:

add_filter('gform_pre_form_title_save', function($title) {
    // Remove all tags (or apply a more targeted allowlist)
    return wp_strip_all_tags($title);
});

Note: Gravity Forms may provide specific hooks and filters — consult the plugin’s developer documentation for the correct hooks for your version.

Why managed edge controls and virtual patching matter

Two realities are common in the real world:

1. Site owners do not always update the instant a vulnerability is disclosed.
2. Hosting constraints, compatibility testing, and bespoke integrations can delay updates.

Managed edge controls (WAFs) and virtual patching help by:

• Blocking exploit attempts at the edge before they reach vulnerable code
• Buying time to test and safely deploy vendor-supplied patches
• Reducing noise by blocking automated scanning and opportunistic attacks
• Providing logs and telemetry to identify whether the vulnerability was targeted

Final notes — prioritise defence-in-depth

This Gravity Forms stored XSS is a reminder that even low-privilege accounts can pose risk if content they create is later rendered in sensitive contexts. Prioritise:

• Immediate patching
• Applying edge-based virtual patches if you cannot patch right away
• Hardening user permissions and admin access
• Proactive monitoring and incident response planning

If you need assistance — whether it’s applying virtual patches, scanning for indicators of compromise, or performing an incident response — engage a qualified security professional who can contain, investigate, and help you recover.

Stay safe. Keep WordPress installations updated, and treat security as a continuous process rather than a single task.

— Hong Kong Security Expert