Description
The Gravity Forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to and including 2.10.0. This is due to insufficient validation and output escaping of Product Option field values. The vulnerability exists because the state validation function accepts submitted values where the wp_kses()-sanitized version matches a legitimate option value, but then stores the raw unsanitized value in the database. When administrators view entry details via the Order Summary section, the option_label is output directly without escaping (view-order-summary.php line 32), executing the injected JavaScript. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in entry data that will execute whenever an administrator accesses the entry details page.
Published: 2026-05-02
Score: 7.2 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Gravity Forms WordPress plugin is vulnerable to stored cross‑site scripting in versions up to and including 2.10.0 because it fails to properly sanitize and escape Product Option field values. An attacker can submit a malicious script that is saved in the database, and when an administrator opens the entry details page the injected JavaScript executes in the administrator’s browser.

Affected Systems

Gravity Forms plugin for WordPress, versions 2.10.0 and earlier. Any installation of the affected plugin that contains a Product Option field is susceptible.

Risk and Exploitability

The CVSS score of 7.2 indicates high severity. The vulnerability can be exploited by any unauthenticated user who can submit a form containing a malicious Product Option. The attacker need only interact with the public site; no special environment or additional privileges are required. Because the vulnerability is not listed in the CISA KEV catalogue and no exploit has been publicly disclosed, the likelihood of exploitation is uncertain, but the high severity and ease of exploitation warrant prompt attention.

Generated by OpenCVE AI on May 2, 2026 at 11:30 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Gravity Forms to a version newer than 2.10.0
  • Disable or delete unused Product Option fields to reduce exposure
  • Remove any malicious script entries from existing database records

Generated by OpenCVE AI on May 2, 2026 at 11:30 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 04 May 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sat, 02 May 2026 07:45:00 +0000

Type Values Removed Values Added
First Time appeared Gravityforms
Gravityforms gravity Forms
Wordpress
Wordpress wordpress
Vendors & Products Gravityforms
Gravityforms gravity Forms
Wordpress
Wordpress wordpress

Sat, 02 May 2026 06:00:00 +0000

Type Values Removed Values Added
Description The Gravity Forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to and including 2.10.0. This is due to insufficient validation and output escaping of Product Option field values. The vulnerability exists because the state validation function accepts submitted values where the wp_kses()-sanitized version matches a legitimate option value, but then stores the raw unsanitized value in the database. When administrators view entry details via the Order Summary section, the option_label is output directly without escaping (view-order-summary.php line 32), executing the injected JavaScript. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in entry data that will execute whenever an administrator accesses the entry details page.
Title Gravity Forms <= 2.10.0 - Unauthenticated Stored Cross-Site Scripting via Product Option
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Gravityforms Gravity Forms
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-05-04T15:57:50.981Z

Reserved: 2026-03-29T20:51:05.663Z

Link: CVE-2026-5109

cve-icon Vulnrichment

Updated: 2026-05-04T15:56:40.326Z

cve-icon NVD

Status : Deferred

Published: 2026-05-02T06:16:03.210

Modified: 2026-05-05T19:16:18.390

Link: CVE-2026-5109

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T11:30:41Z

Weaknesses