((link)) - Gravity Forms Shortcodes

If you use [gravityformspopulate field_ids="5" filter="post_id=REQUEST.post_id"] without validating the incoming post_id parameter, an attacker could inject a meta query to extract private post titles via error-based disclosure.

Gravity Forms shortcodes output inline JavaScript ( var gform; ) and hard-coded nonce values. This breaks page caching (e.g., Varnish, Cloudflare Full Page Cache, WP Rocket). Each page load regenerates the nonce, preventing static HTML caching. gravity forms shortcodes

Contact Form 7 (but far fewer features). Winner for dynamic content: Gravity Forms, but requires developer discipline. Final Verdict Gravity Forms shortcodes are a powerful but leaky abstraction . They excel at embedding forms anywhere (widgets, custom post content, theme files) and dynamic population. However, their tight coupling with inline scripts and nonces makes them a poor choice for statically cached pages. Each page load regenerates the nonce, preventing static