CVE-2026-5113 HIGH

CVE-2026-5113: Gravity Forms <= 2.10.0 - Unauthenticated Stored Cross-Site Scripting via Consent Field Hidden Input

Vendor Gravity Forms
Product Gravity Forms
Weakness CWE-79 · XSS
Published May 2, 2026
Last update May 4, 2026

CVSS base score

7.2/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

What the vulnerability does

01Description

The Gravity Forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Consent field hidden inputs in versions up to and including 2.10.0. This is due to a flawed state validation mechanism that fails open when input is sanitized by wp_kses(), combined with insufficient output escaping. The state validation logic creates two hashes (raw input and wp_kses-sanitized input) and only fails validation if BOTH hashes don't match the original state. When an attacker injects XSS payloads using tags stripped by wp_kses() (like <svg>), the sanitized hash matches while the malicious raw value is preserved and saved to the database. When administrators view the Entries List page, the stored malicious consent label is retrieved and output without escaping, causing the XSS payload to execute. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in entries that will execute whenever an authenticated administrator accesses the entries list page.

Explanation of Vulnerability in Simple Terms

02Summary

Gravity Forms versions up to 2.10.0 contain a cross-site scripting (XSS) vulnerability that allows unauthenticated attackers to inject malicious scripts into the site. The vulnerability can be exploited over the network without user interaction, and the impact extends beyond the vulnerable component to affect other parts of the site. This can lead to session hijacking, credential theft, or malware distribution to site visitors.

What an attacker can do

03Attacker Capabilities

Inject malicious JavaScript that executes in visitors' browsers and affects other site functionality.

Potential impact on your site

04Site Impact

Visitors' sessions and credentials can be compromised; site reputation and data security at risk.

Conditions required to exploit

05Prerequisites

Network access only; no authentication or user interaction required.

Key dates

06Disclosure timeline

May 2, 2026 CVE published
May 4, 2026 Record updated

Related vulnerabilities

08Related CVE