This vulnerability in iContact for Gravity Forms (versions ≤ 1.3.2) is due to improper input sanitization during web page generation, resulting in reflected cross-site scripting (XSS). An attacker can craft malicious input that is reflected back to users without proper neutralization, enabling script execution in the victim's browser. The CVSS v3.1 score of 7.1 indicates a high severity with network attack vector, low attack complexity, no privileges required, user interaction needed, and impacts on confidentiality, integrity, and availability.

Successful exploitation can allow an attacker to execute arbitrary scripts in the context of the victim's browser, potentially leading to theft of sensitive information, session hijacking, or other malicious actions impacting confidentiality, integrity, and availability to a limited extent. There are no reports of active exploitation in the wild.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, users should consider disabling or restricting access to the affected plugin to mitigate risk. Monitor official Zack Katz or Gravity Forms channels for updates and apply patches promptly once released.