CVE-2026-5111
Published: 02 May 2026
Summary
CVE-2026-5111 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Gravityforms (inferred from references). Its CVSS base score is 7.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 6.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Deeper analysis
CVE-2026-5111 is a Stored Cross-Site Scripting (XSS) vulnerability, classified under CWE-79, in the Gravity Forms plugin for WordPress, affecting versions up to and including 2.10.0. The flaw arises from insufficient input validation and output escaping on Hidden Product field values when used inside Repeater fields. Repeater subfields bypass state validation checks, and the Hidden Product validate() method only checks the quantity field while ignoring the product name field, which is later output without proper escaping in the get_value_entry_detail() method.
Unauthenticated attackers can exploit this vulnerability by submitting forms containing arbitrary web scripts in the affected Hidden Product fields within Repeater fields. The injected scripts execute whenever an administrator views the entry details page, potentially leading to session hijacking, data theft, or further site compromise in the administrator's browser context. The CVSS v3.1 base score is 7.2 (AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N), reflecting its network reachability, low attack complexity, lack of required privileges or user interaction, and changed scope with low confidentiality and integrity impacts.
Mitigation details are available in the Gravity Forms change log at https://docs.gravityforms.com/gravityforms-change-log/ and the Wordfence threat intelligence advisory at https://www.wordfence.com/threat-intel/vulnerabilities/id/a50e7042-bf7b-49d8-8e62-d01ecdd769fd?source=cve, which cover patches addressing this issue in versions beyond 2.10.0.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-26743
Vulnerability details
The Gravity Forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to and including 2.10.0. This is due to insufficient input validation and output escaping on Hidden Product field values when used inside Repeater fields, where…
more
repeater subfields bypass state validation checks and the Hidden Product validate() method only validates the quantity field while ignoring the product name field that is later output without proper escaping in the get_value_entry_detail() method. This makes it possible for unauthenticated attackers to inject arbitrary web scripts through form submissions that will execute whenever an administrator views the entry details.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Stored XSS in public-facing WordPress plugin allows unauthenticated form submission to inject scripts (T1190); injected JavaScript executes in admin browser context enabling script-based execution (T1059.007).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SI-10 requires validation of all information inputs, directly addressing the insufficient input validation on Hidden Product field values within Repeater fields that allows script injection.
SI-15 mandates filtering of information outputs, mitigating the lack of output escaping in the get_value_entry_detail() method that enables stored script execution when viewing entry details.
SI-2 ensures timely identification, reporting, and correction of flaws, directly supporting patching of the Gravity Forms plugin to versions beyond 2.10.0 where this Stored XSS is remediated.