CVE-2026-5110 HIGH

CVE-2026-5110: Gravity Forms <= 2.10.0 - Unauthenticated Stored Cross-Site Scripting via Single Product Field Inside Repeater

Vendor Gravity Forms
Product Gravity Forms
Weakness CWE-79 · XSS
Published May 2, 2026
Last update May 4, 2026

CVSS base score

7.2/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

What the vulnerability does

01Description

The Gravity Forms plugin for WordPress is vulnerable to Unauthenticated Stored Cross-Site Scripting in versions up to and including 2.10.0. This is due to insufficient input validation and output escaping in the SingleProduct field when used inside a Repeater field. When SingleProduct fields are nested within Repeater fields, the validation flow bypasses the state validation mechanism (failed_state_validation()) that would normally prevent tampering with field values. The validate_subfield() method only calls the field's validate() method, which for SingleProduct fields only validates the quantity field and does not check the product name field for tampering. As a result, an attacker can inject arbitrary HTML and JavaScript into the product name field (input .1). This malicious input is then saved to the database without sanitization because sanitize_entry_value() returns raw values when HTML is not expected for the field type. When an administrator views the entry in wp-admin/admin.php?page=gf_entries, the get_value_entry_detail() method outputs the product name without escaping, causing the stored XSS payload to execute in the administrator's browser. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever an administrator accesses an entry containing the malicious payload.

Explanation of Vulnerability in Simple Terms

02Summary

Gravity Forms versions up to 2.10.0 contain a cross-site scripting (XSS) vulnerability that allows unauthenticated attackers to inject malicious scripts into the site. The vulnerability affects the form rendering or data handling logic, enabling attackers to execute JavaScript in visitors' browsers. This can lead to session hijacking, credential theft, or malware distribution. Site owners should update to a version newer than 2.10.0 immediately.

What an attacker can do

03Attacker Capabilities

Inject and execute malicious JavaScript in visitors' browsers without authentication.

Potential impact on your site

04Site Impact

Visitors' sessions, credentials, or personal data could be compromised; site reputation and trust damaged.

Conditions required to exploit

05Prerequisites

Network access to the site; no authentication or user interaction required.

Key dates

06Disclosure timeline

May 2, 2026 CVE published
May 4, 2026 Record updated