Cyber Resilience

CVE-2026-5111

High

Published: 02 May 2026

Published
02 May 2026
Modified
05 May 2026
KEV Added
Patch
CVSS Score v3.1 7.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
EPSS Score 0.0002 6.2th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-5111 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Gravityforms (inferred from references). Its CVSS base score is 7.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 6.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).

Deeper analysis

CVE-2026-5111 is a Stored Cross-Site Scripting (XSS) vulnerability, classified under CWE-79, in the Gravity Forms plugin for WordPress, affecting versions up to and including 2.10.0. The flaw arises from insufficient input validation and output escaping on Hidden Product field values when used inside Repeater fields. Repeater subfields bypass state validation checks, and the Hidden Product validate() method only checks the quantity field while ignoring the product name field, which is later output without proper escaping in the get_value_entry_detail() method.

Unauthenticated attackers can exploit this vulnerability by submitting forms containing arbitrary web scripts in the affected Hidden Product fields within Repeater fields. The injected scripts execute whenever an administrator views the entry details page, potentially leading to session hijacking, data theft, or further site compromise in the administrator's browser context. The CVSS v3.1 base score is 7.2 (AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N), reflecting its network reachability, low attack complexity, lack of required privileges or user interaction, and changed scope with low confidentiality and integrity impacts.

Mitigation details are available in the Gravity Forms change log at https://docs.gravityforms.com/gravityforms-change-log/ and the Wordfence threat intelligence advisory at https://www.wordfence.com/threat-intel/vulnerabilities/id/a50e7042-bf7b-49d8-8e62-d01ecdd769fd?source=cve, which cover patches addressing this issue in versions beyond 2.10.0.

EU & UK References

Vulnerability details

The Gravity Forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to and including 2.10.0. This is due to insufficient input validation and output escaping on Hidden Product field values when used inside Repeater fields, where…

more

repeater subfields bypass state validation checks and the Hidden Product validate() method only validates the quantity field while ignoring the product name field that is later output without proper escaping in the get_value_entry_detail() method. This makes it possible for unauthenticated attackers to inject arbitrary web scripts through form submissions that will execute whenever an administrator views the entry details.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.007 JavaScript Execution
Adversaries may abuse various implementations of JavaScript for execution.
Why these techniques?

Stored XSS in public-facing WordPress plugin allows unauthenticated form submission to inject scripts (T1190); injected JavaScript executes in admin browser context enabling script-based execution (T1059.007).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-3231Shared CWE-79
CVE-2025-23481Shared CWE-79
CVE-2025-69302Shared CWE-79
CVE-2025-23734Shared CWE-79
CVE-2025-23571Shared CWE-79
CVE-2025-65110Shared CWE-79
CVE-2026-24948Shared CWE-79
CVE-2025-27352Shared CWE-79
CVE-2025-30349Shared CWE-79
CVE-2026-3876Shared CWE-79

Affected Assets

Gravityforms
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-10 requires validation of all information inputs, directly addressing the insufficient input validation on Hidden Product field values within Repeater fields that allows script injection.

prevent

SI-15 mandates filtering of information outputs, mitigating the lack of output escaping in the get_value_entry_detail() method that enables stored script execution when viewing entry details.

prevent

SI-2 ensures timely identification, reporting, and correction of flaws, directly supporting patching of the Gravity Forms plugin to versions beyond 2.10.0 where this Stored XSS is remediated.

References