What the vulnerability does
01Description
The Gravity Forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to and including 2.10.0. This is due to insufficient input validation and output escaping on Hidden Product field values when used inside Repeater fields, where repeater subfields bypass state validation checks and the Hidden Product validate() method only validates the quantity field while ignoring the product name field that is later output without proper escaping in the get_value_entry_detail() method. This makes it possible for unauthenticated attackers to inject arbitrary web scripts through form submissions that will execute whenever an administrator views the entry details.
Explanation of Vulnerability in Simple Terms
02Summary
Gravity Forms versions up to 2.10.0 contain a cross-site scripting (XSS) vulnerability that allows unauthenticated attackers to inject malicious scripts into the application. The vulnerability has a changed scope, meaning the impact can extend beyond the vulnerable component itself. An attacker can exploit this over the network without user interaction to compromise site integrity and steal sensitive data.
What an attacker can do
03Attacker Capabilities
Inject malicious JavaScript that runs in visitors' browsers and steals data or modifies site content.
Potential impact on your site
04Site Impact
Visitors' browsers can be compromised; attackers can steal credentials, deface content, or redirect users to malicious sites.
Conditions required to exploit
05Prerequisites
None. The attacker needs only network access; no authentication or user interaction required.
Key dates
06Disclosure timeline
May 2, 2026
CVE published
May 4, 2026
Record updated
