Cyber Resilience

CVE-2026-5110

High

Published: 02 May 2026

Published
02 May 2026
Modified
05 May 2026
KEV Added
Patch
CVSS Score v3.1 7.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
EPSS Score 0.0002 6.2th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-5110 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Gravityforms (inferred from references). Its CVSS base score is 7.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 6.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).

Deeper analysis

CVE-2026-5110 is an unauthenticated stored cross-site scripting (XSS) vulnerability in the Gravity Forms plugin for WordPress, affecting versions up to and including 2.10.0. The issue stems from insufficient input validation and output escaping in the SingleProduct field when nested within a Repeater field. Specifically, the validation flow bypasses the failed_state_validation() mechanism, as validate_subfield() only invokes the field's validate() method, which checks the quantity but not the product name for tampering. Consequently, attackers can inject arbitrary HTML and JavaScript into the product name field (input .1), which is saved to the database without sanitization via sanitize_entry_value() since raw values are returned for this field type.

Unauthenticated attackers can exploit this vulnerability remotely with low complexity and no privileges. By submitting a form with a malicious payload in the nested SingleProduct field, they inject scripts that persist in the database. When an administrator views the affected entry via wp-admin/admin.php?page=gf_entries, the get_value_entry_detail() method outputs the product name without escaping, executing the payload in the administrator's browser. This achieves partial confidentiality and integrity impacts (C:L/I:L) in a changed scope (S:C), earning a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N) and mapping to CWE-79.

Advisories reference the Gravity Forms changelog at https://docs.gravityforms.com/gravityforms-change-log/ for patch details and Wordfence threat intelligence at https://www.wordfence.com/threat-intel/vulnerabilities/id/f9135799-00db-447d-b795-faafeafbce67?source=cve, indicating mitigations through plugin updates beyond version 2.10.0.

EU & UK References

Vulnerability details

The Gravity Forms plugin for WordPress is vulnerable to Unauthenticated Stored Cross-Site Scripting in versions up to and including 2.10.0. This is due to insufficient input validation and output escaping in the SingleProduct field when used inside a Repeater field.…

more

When SingleProduct fields are nested within Repeater fields, the validation flow bypasses the state validation mechanism (failed_state_validation()) that would normally prevent tampering with field values. The validate_subfield() method only calls the field's validate() method, which for SingleProduct fields only validates the quantity field and does not check the product name field for tampering. As a result, an attacker can inject arbitrary HTML and JavaScript into the product name field (input .1). This malicious input is then saved to the database without sanitization because sanitize_entry_value() returns raw values when HTML is not expected for the field type. When an administrator views the entry in wp-admin/admin.php?page=gf_entries, the get_value_entry_detail() method outputs the product name without escaping, causing the stored XSS payload to execute in the administrator's browser. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever an administrator accesses an entry containing the malicious payload.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.007 JavaScript Execution
Adversaries may abuse various implementations of JavaScript for execution.
Why these techniques?

The unauthenticated stored XSS in a public-facing WordPress plugin directly enables remote exploitation of the application (T1190) and allows injection/execution of arbitrary JavaScript payloads in the administrator's browser context (T1059.007).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-3231Shared CWE-79
CVE-2025-23481Shared CWE-79
CVE-2025-69302Shared CWE-79
CVE-2025-23734Shared CWE-79
CVE-2025-23571Shared CWE-79
CVE-2025-65110Shared CWE-79
CVE-2026-24948Shared CWE-79
CVE-2025-27352Shared CWE-79
CVE-2025-30349Shared CWE-79
CVE-2026-3876Shared CWE-79

Affected Assets

Gravityforms
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-10 mandates validation of all information inputs, directly preventing injection of arbitrary HTML/JavaScript into the SingleProduct field due to bypassed validation in nested Repeater fields.

prevent

SI-15 requires filtering of information outputs prior to transmission, preventing execution of stored XSS payloads when administrators view unsanitized product name values in entry details.

prevent

SI-2 ensures flaws such as this stored XSS vulnerability in Gravity Forms are remediated through timely patching to versions beyond 2.10.0.

References