What the vulnerability does
01Description
The Gravity Forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to and including 2.10.0. This is due to insufficient validation and output escaping of Product Option field values. The vulnerability exists because the state validation function accepts submitted values where the wp_kses()-sanitized version matches a legitimate option value, but then stores the raw unsanitized value in the database. When administrators view entry details via the Order Summary section, the option_label is output directly without escaping (view-order-summary.php line 32), executing the injected JavaScript. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in entry data that will execute whenever an administrator accesses the entry details page.
Explanation of Vulnerability in Simple Terms
02Summary
Gravity Forms versions up to 2.10.0 contain a cross-site scripting (XSS) vulnerability that allows unauthenticated attackers to inject malicious scripts into the site. The vulnerability affects the form rendering or submission process and can impact all site visitors. Attackers can steal session tokens, redirect users, or deface content without requiring user interaction.
What an attacker can do
03Attacker Capabilities
Inject malicious JavaScript that runs in visitors' browsers and affects other users on the site.
Potential impact on your site
04Site Impact
Visitors may have their sessions hijacked, be redirected to malicious sites, or see altered page content.
Conditions required to exploit
05Prerequisites
No authentication or user interaction required; attacker can exploit the vulnerability remotely.
Key dates
06Disclosure timeline
May 2, 2026
CVE published
May 4, 2026
Record updated
