Gravity Forms Shortcodes [updated] May 2026

Gravity Forms shortcodes output inline JavaScript ( var gform; ) and hard-coded nonce values. This breaks page caching (e.g., Varnish, Cloudflare Full Page Cache, WP Rocket). Each page load regenerates the nonce, preventing static HTML caching.

// Render form #3 with AJAX, no title echo do_shortcode('[gravityform id="3" ajax="true" title="false"]'); But better yet – and use Gravity Forms’ native function: gravity forms shortcodes

If you use [gravityformspopulate field_ids="5" filter="post_id=REQUEST.post_id"] without validating the incoming post_id parameter, an attacker could inject a meta query to extract private post titles via error-based disclosure. Gravity Forms shortcodes output inline JavaScript ( var

Made in 2010-2011 by Evan Wallace, Justin Ardini, Kayle Gishen, and Paul Kernfeld