CVE-2026-5110
Published: 02 May 2026
Summary
CVE-2026-5110 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Gravityforms (inferred from references). Its CVSS base score is 7.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 6.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Deeper analysis
CVE-2026-5110 is an unauthenticated stored cross-site scripting (XSS) vulnerability in the Gravity Forms plugin for WordPress, affecting versions up to and including 2.10.0. The issue stems from insufficient input validation and output escaping in the SingleProduct field when nested within a Repeater field. Specifically, the validation flow bypasses the failed_state_validation() mechanism, as validate_subfield() only invokes the field's validate() method, which checks the quantity but not the product name for tampering. Consequently, attackers can inject arbitrary HTML and JavaScript into the product name field (input .1), which is saved to the database without sanitization via sanitize_entry_value() since raw values are returned for this field type.
Unauthenticated attackers can exploit this vulnerability remotely with low complexity and no privileges. By submitting a form with a malicious payload in the nested SingleProduct field, they inject scripts that persist in the database. When an administrator views the affected entry via wp-admin/admin.php?page=gf_entries, the get_value_entry_detail() method outputs the product name without escaping, executing the payload in the administrator's browser. This achieves partial confidentiality and integrity impacts (C:L/I:L) in a changed scope (S:C), earning a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N) and mapping to CWE-79.
Advisories reference the Gravity Forms changelog at https://docs.gravityforms.com/gravityforms-change-log/ for patch details and Wordfence threat intelligence at https://www.wordfence.com/threat-intel/vulnerabilities/id/f9135799-00db-447d-b795-faafeafbce67?source=cve, indicating mitigations through plugin updates beyond version 2.10.0.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-26742
Vulnerability details
The Gravity Forms plugin for WordPress is vulnerable to Unauthenticated Stored Cross-Site Scripting in versions up to and including 2.10.0. This is due to insufficient input validation and output escaping in the SingleProduct field when used inside a Repeater field.…
more
When SingleProduct fields are nested within Repeater fields, the validation flow bypasses the state validation mechanism (failed_state_validation()) that would normally prevent tampering with field values. The validate_subfield() method only calls the field's validate() method, which for SingleProduct fields only validates the quantity field and does not check the product name field for tampering. As a result, an attacker can inject arbitrary HTML and JavaScript into the product name field (input .1). This malicious input is then saved to the database without sanitization because sanitize_entry_value() returns raw values when HTML is not expected for the field type. When an administrator views the entry in wp-admin/admin.php?page=gf_entries, the get_value_entry_detail() method outputs the product name without escaping, causing the stored XSS payload to execute in the administrator's browser. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever an administrator accesses an entry containing the malicious payload.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The unauthenticated stored XSS in a public-facing WordPress plugin directly enables remote exploitation of the application (T1190) and allows injection/execution of arbitrary JavaScript payloads in the administrator's browser context (T1059.007).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SI-10 mandates validation of all information inputs, directly preventing injection of arbitrary HTML/JavaScript into the SingleProduct field due to bypassed validation in nested Repeater fields.
SI-15 requires filtering of information outputs prior to transmission, preventing execution of stored XSS payloads when administrators view unsanitized product name values in entry details.
SI-2 ensures flaws such as this stored XSS vulnerability in Gravity Forms are remediated through timely patching to versions beyond 2.10.0.