Description
The Gravity Forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Consent field hidden inputs in versions up to and including 2.10.0. This is due to a flawed state validation mechanism that fails open when input is sanitized by wp_kses(), combined with insufficient output escaping. The state validation logic creates two hashes (raw input and wp_kses-sanitized input) and only fails validation if BOTH hashes don't match the original state. When an attacker injects XSS payloads using tags stripped by wp_kses() (like <svg>), the sanitized hash matches while the malicious raw value is preserved and saved to the database. When administrators view the Entries List page, the stored malicious consent label is retrieved and output without escaping, causing the XSS payload to execute. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in entries that will execute whenever an authenticated administrator accesses the entries list page.
Published: 2026-05-02
Score: 7.2 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Gravity Forms plugin for WordPress contains a flaw that allows any unauthenticated user to inject a stored XSS payload via a hidden consent field. The vulnerability arises from a mis‑implemented state validation that compares hashes of input before and after sanitization. When a payload is stripped by wp_kses but the original raw value is stored, the plugin renders the raw value without escaping on the Entries List page. This permits an attacker to supply malicious script that will execute when an authenticated administrator views the form entries. The impact is that the attacker can run arbitrary client‑side code with the privileges of the administrator, potentially exfiltrating data or performing additional attacks against the site.

Affected Systems

Anyone running the Gravity Forms WordPress plugin version 2.10.0 or earlier is affected. The issue applies to installations of Gravity Forms up to and including 2.10.0 built on the standard WordPress environment. No specific operating system or PHP version constraints are documented.

Risk and Exploitability

The CVSS score of 7.2 indicates a high‑moderate risk. EPSS information is not available, and the vulnerability is not listed in CISA's KEV catalog. Attackers require only unauthenticated access to the publicly exposed form to inject the payload, and the exploitation succeeds when an administrator subsequently views the entries list. Given that many sites expose Gravity Forms on the public Internet, the likelihood of exploitation in the wild remains uncertain but should be considered a moderate threat, especially for sites with sensitive data or high‑value administrators.

Generated by OpenCVE AI on May 2, 2026 at 11:30 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Gravity Forms plugin to any later release that fixes the state validation flaw and ensures proper escaping of the consent label.
  • Immediately delete or sanitize any form entries that contain suspicious or suspiciously crafted consent labels from your database.
  • Restrict administrative access to the WordPress dashboard by using IP whitelisting or a VPN, and enable two‑factor authentication to reduce the impact of any remaining XSS.
  • Deploy a Web Application Firewall (WAF) rule or use a security plugin such as Wordfence to block XSS payloads targeting the form consent field.

Generated by OpenCVE AI on May 2, 2026 at 11:30 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 04 May 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sat, 02 May 2026 07:45:00 +0000

Type Values Removed Values Added
First Time appeared Gravityforms
Gravityforms gravity Forms
Wordpress
Wordpress wordpress
Vendors & Products Gravityforms
Gravityforms gravity Forms
Wordpress
Wordpress wordpress

Sat, 02 May 2026 06:00:00 +0000

Type Values Removed Values Added
Description The Gravity Forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Consent field hidden inputs in versions up to and including 2.10.0. This is due to a flawed state validation mechanism that fails open when input is sanitized by wp_kses(), combined with insufficient output escaping. The state validation logic creates two hashes (raw input and wp_kses-sanitized input) and only fails validation if BOTH hashes don't match the original state. When an attacker injects XSS payloads using tags stripped by wp_kses() (like <svg>), the sanitized hash matches while the malicious raw value is preserved and saved to the database. When administrators view the Entries List page, the stored malicious consent label is retrieved and output without escaping, causing the XSS payload to execute. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in entries that will execute whenever an authenticated administrator accesses the entries list page.
Title Gravity Forms <= 2.10.0 - Unauthenticated Stored Cross-Site Scripting via Consent Field Hidden Input
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Gravityforms Gravity Forms
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-05-04T14:51:42.054Z

Reserved: 2026-03-29T21:45:25.128Z

Link: CVE-2026-5113

cve-icon Vulnrichment

Updated: 2026-05-04T14:51:26.796Z

cve-icon NVD

Status : Deferred

Published: 2026-05-02T06:16:04.020

Modified: 2026-05-05T19:16:18.390

Link: CVE-2026-5113

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T11:45:41Z

Weaknesses