Description
The Gravity Forms plugin for WordPress is vulnerable to Unauthenticated Stored Cross-Site Scripting in versions up to and including 2.10.0. This is due to insufficient input validation and output escaping of Calculation Product field product names when rendered inside Repeater fields. The validate() method in the GF_Field_Calculation class only validates the quantity field (.3) and completely ignores the product name field (.1), allowing malicious HTML to pass through validation. When the value is saved, the sanitize_entry_value() method returns the raw value without sanitization for fields where HTML is not expected. Subsequently, when an entry is viewed in wp-admin, the get_value_entry_detail() method concatenates the unescaped product name directly into the output string, which is then rendered by the repeater's get_value_entry_detail() method without further escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts via form submissions that will execute whenever an authenticated administrator with the gravityforms_view_entries capability accesses the entry detail page.
Published: 2026-05-02
Score: 7.2 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Gravity Forms plugin for WordPress contains a stored XSS flaw in versions up to and including 2.10.0. The form’s Calculation Product field product names are not validated or escaped; the validate() method ignores the product name, and sanitize_entry_value() returns the raw value. When an entry is displayed by the administrator, the raw product name is concatenated into the output string and rendered by the repeater without escaping, allowing an attacker to inject arbitrary scripts.

Affected Systems

Any WordPress site using the Gravity Forms plugin with version 2.10.0 or earlier is affected. The vendor/product is Gravity Forms: Gravity Forms. No further sub‑version details are listed, so all releases up to 2.10.0 are vulnerable.

Risk and Exploitability

The CVSS score of 7.2 reflects a medium to high severity. The EPSS score is not available, and the vulnerability is not listed in CISA’s KEV catalog. Attackers can submit a crafted form entry without authentication; the malicious script executes only when an authenticated administrator with gravityforms_view_entries capability views the entry detail page. The lack of authentication for the initial entry submission and the administrative context of the script execution make this a high‑risk scenario for compromised sites.

Generated by OpenCVE AI on May 2, 2026 at 10:01 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Gravity Forms to a version newer than 2.10.0, which removes the vulnerability.
  • If an immediate update is not possible, disable or restrict access to the entry detail page for unauthenticated users and ensure that the product name field is properly escaped when rendered.
  • Audit existing form entries and strip any unescaped HTML from the Calculation Product field to eliminate stored payloads.
  • Consider temporarily removing the repeater field or disabling the Calculation Product field until a patch is applied.
  • Monitor the site for signs of XSS exploitation, such as unexpected script-based redirects or console errors.

Generated by OpenCVE AI on May 2, 2026 at 10:01 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 02 May 2026 07:45:00 +0000

Type Values Removed Values Added
First Time appeared Gravityforms
Gravityforms gravity Forms
Wordpress
Wordpress wordpress
Vendors & Products Gravityforms
Gravityforms gravity Forms
Wordpress
Wordpress wordpress

Sat, 02 May 2026 06:00:00 +0000

Type Values Removed Values Added
Description The Gravity Forms plugin for WordPress is vulnerable to Unauthenticated Stored Cross-Site Scripting in versions up to and including 2.10.0. This is due to insufficient input validation and output escaping of Calculation Product field product names when rendered inside Repeater fields. The validate() method in the GF_Field_Calculation class only validates the quantity field (.3) and completely ignores the product name field (.1), allowing malicious HTML to pass through validation. When the value is saved, the sanitize_entry_value() method returns the raw value without sanitization for fields where HTML is not expected. Subsequently, when an entry is viewed in wp-admin, the get_value_entry_detail() method concatenates the unescaped product name directly into the output string, which is then rendered by the repeater's get_value_entry_detail() method without further escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts via form submissions that will execute whenever an authenticated administrator with the gravityforms_view_entries capability accesses the entry detail page.
Title Gravity Forms <= 2.10.0 - Unauthenticated Stored Cross-Site Scripting via Calculation Product Field in Repeater
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Gravityforms Gravity Forms
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-05-02T05:29:28.846Z

Reserved: 2026-03-29T21:44:04.026Z

Link: CVE-2026-5112

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-02T06:16:03.877

Modified: 2026-05-02T06:16:03.877

Link: CVE-2026-5112

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T10:15:16Z

Weaknesses