CVE-2026-5110: The Gravity Forms plugin for WordPress is vulnerable to Unauthenticated Stored Cross-Site Scripting in versions up to and including 2.10.0. This is du...

Description

The Gravity Forms plugin for WordPress is vulnerable to Unauthenticated Stored Cross-Site Scripting in versions up to and including 2.10.0. This is due to insufficient input validation and output escaping in the SingleProduct field when used inside a Repeater field. When SingleProduct fields are nested within Repeater fields, the validation flow bypasses the state validation mechanism (failed_state_validation()) that would normally prevent tampering with field values. The validate_subfield() method only calls the field's validate() method, which for SingleProduct fields only validates the quantity field and does not check the product name field for tampering. As a result, an attacker can inject arbitrary HTML and JavaScript into the product name field (input .1). This malicious input is then saved to the database without sanitization because sanitize_entry_value() returns raw values when HTML is not expected for the field type. When an administrator views the entry in wp-admin/admin.php?page=gf_entries, the get_value_entry_detail() method outputs the product name without escaping, causing the stored XSS payload to execute in the administrator's browser. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever an administrator accesses an entry containing the malicious payload.

Metrics

CVSS 3.1

7.2/10

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

EPSS Probability

0.25%

15.9th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

CWE-79

References

Timeline

Published: May 2, 2026
Last Modified: Jun 17, 2026
Status: Deferred

Frequently Asked Questions

What is CVE-2026-5110?

The Gravity Forms plugin for WordPress is vulnerable to Unauthenticated Stored Cross-Site Scripting in versions up to and including 2.10.0. This is due to insufficient input validation and output escaping in the SingleProduct field when used inside a Repeater field. When SingleProduct fields are nested within Repeater fields, the validation flow bypasses the state validation mechanism (failed_state_validation()) that would normally prevent tampering with field values. The validate_subfield() method only calls the field's validate() method, which for SingleProduct fields only validates the quantity field and does not check the product name field for tampering. As a result, an attacker can inject arbitrary HTML and JavaScript into the product name field (input .1). This malicious input is then saved to the database without sanitization because sanitize_entry_value() returns raw values when HTML is not expected for the field type. When an administrator views the entry in wp-admin/admin.php?page=gf_entries, the get_value_entry_detail() method outputs the product name without escaping, causing the stored XSS payload to execute in the administrator's browser. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever an administrator accesses an entry containing the malicious payload.

How severe is CVE-2026-5110?

CVE-2026-5110 has a CVSS score of 7.2/10 (HIGH severity). The EPSS model estimates a 0.25% probability of exploitation in the next 30 days.

How do I fix CVE-2026-5110?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.