CVE-2026-5110 - Vulnerability Details

Description

The Gravity Forms plugin for WordPress is vulnerable to Unauthenticated Stored Cross-Site Scripting in versions up to and including 2.10.0. This is due to insufficient input validation and output escaping in the SingleProduct field when used inside a Repeater field. When SingleProduct fields are nested within Repeater fields, the validation flow bypasses the state validation mechanism (failed_state_validation()) that would normally prevent tampering with field values. The validate_subfield() method only calls the field's validate() method, which for SingleProduct fields only validates the quantity field and does not check the product name field for tampering. As a result, an attacker can inject arbitrary HTML and JavaScript into the product name field (input .1). This malicious input is then saved to the database without sanitization because sanitize_entry_value() returns raw values when HTML is not expected for the field type. When an administrator views the entry in wp-admin/admin.php?page=gf_entries, the get_value_entry_detail() method outputs the product name without escaping, causing the stored XSS payload to execute in the administrator's browser. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever an administrator accesses an entry containing the malicious payload.

Published: 2026-05-02

Score: 7.2 High

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

Gravity Forms plugin for WordPress contains a stored cross‑site scripting vulnerability that allows an unauthenticated attacker to inject arbitrary HTML and JavaScript into the product name field of a SingleProduct field when it is nested inside a Repeater field. The input is saved to the database without sanitization and is later rendered unescaped when an administrator views the entry. This can lead to the execution of attacker‑controlled scripts in the context of the administrator’s browser, enabling credential theft, defacement, or further exploitation of the site. The weakness is a failure of input validation and output escaping (CWE‑79).

Affected Systems

Affected are installations of Gravity Forms version 2.10.0 or earlier running on WordPress. The vulnerability specifically targets the SingleProduct field used within a Repeater component; all forms configured with this field construct are at risk. Upgrading to any version newer than 2.10.0 removes the flaw.

Risk and Exploitability

The CVSS score of 7.2 indicates a high severity with medium scope. EPSS data is not available, so the current probability of exploitation cannot be quantified; however, the vulnerability requires no authentication to first inject the payload, though it relies on an administrator later reviewing the entry. The vulnerability is not listed in CISA’s KEV catalog, but its impact on the administrative session makes it a significant risk for affected sites.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Gravity Forms

unaffected

Version	Status	Constraints
`0`	affected	≤ 2.10.0

No data.

Vendor Product Confidence Versions

Gravityforms

Gravity Forms

98%

Version	Status	Scheme	Platform
`[0,2.10.0]`	affected	semver	—

Wordpress

80%

Version	Status	Scheme	Platform
`—`	unaffected	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the Gravity Forms plugin to a version newer than 2.10.0 where the SingleProduct field validation has been corrected.
If an upgrade cannot be performed immediately, restrict administrator access to the wp‑admin area and enforce a Content Security Policy that blocks inline scripts originating from form entries.
Temporarily disable or remove SingleProduct fields that are placed inside Repeater fields from any form until a secure version is installed, preventing the storage of malicious payloads.

Generated by OpenCVE AI on May 2, 2026 at 09:59 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://docs.gravityforms.com/gravityforms-change-log/
https://www.wordfence.com/threat-intel/vulnerabilities/id/f9135799-00db-447d-b795-faafeafbce67?source=cve

History

Sat, 02 May 2026 07:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Gravityforms Gravityforms gravity Forms Wordpress Wordpress wordpress
Vendors & Products		Gravityforms Gravityforms gravity Forms Wordpress Wordpress wordpress

Sat, 02 May 2026 06:00:00 +0000

Type	Values Removed	Values Added
Description		The Gravity Forms plugin for WordPress is vulnerable to Unauthenticated Stored Cross-Site Scripting in versions up to and including 2.10.0. This is due to insufficient input validation and output escaping in the SingleProduct field when used inside a Repeater field. When SingleProduct fields are nested within Repeater fields, the validation flow bypasses the state validation mechanism (failed_state_validation()) that would normally prevent tampering with field values. The validate_subfield() method only calls the field's validate() method, which for SingleProduct fields only validates the quantity field and does not check the product name field for tampering. As a result, an attacker can inject arbitrary HTML and JavaScript into the product name field (input .1). This malicious input is then saved to the database without sanitization because sanitize_entry_value() returns raw values when HTML is not expected for the field type. When an administrator views the entry in wp-admin/admin.php?page=gf_entries, the get_value_entry_detail() method outputs the product name without escaping, causing the stored XSS payload to execute in the administrator's browser. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever an administrator accesses an entry containing the malicious payload.
Title		Gravity Forms <= 2.10.0 - Unauthenticated Stored Cross-Site Scripting via Single Product Field Inside Repeater
Weaknesses		CWE-79
References		https://docs.gravityforms.com/gravityforms-change-log/ https://www.wordfence.com/threat-intel/vulnerabilities/id/f9135799-00db-447d-b795-faafeafbce67?source=cve
Metrics		cvssV3_1 `{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N'}`

Subscriptions

Gravityforms Gravity Forms

Wordpress Wordpress

MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2026-05-02T05:29:30.699Z

Updated: 2026-05-02T05:29:30.699Z

Reserved: 2026-03-29T21:31:58.558Z

Link: CVE-2026-5110

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-05-02T06:16:03.580

Modified: 2026-05-02T06:16:03.580

Link: CVE-2026-5110

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-02T10:00:06Z

Weaknesses

CWE-79

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object