Cyber Posture

CVE-2026-5112

High

Published: 02 May 2026

Published
02 May 2026
Modified
05 May 2026
KEV Added
Patch
CVSS Score 7.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
EPSS Score 0.0001 3.1th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-5112 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Gravityforms (inferred from references). Its CVSS base score is 7.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 3.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

Enforces validation of Calculation Product field product names to block malicious HTML from bypassing the validate() method and being stored unsanitized.

SI-15 Information Output Filtering good match
prevent

Requires output filtering and escaping in get_value_entry_detail() methods to prevent execution of stored scripts when administrators view entry details.

SI-2 Flaw Remediation good match
prevent

Mandates timely patching of the Gravity Forms plugin flaw as detailed in advisories to remediate the input validation and output escaping deficiencies.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1059.007 JavaScript Execution
Adversaries may abuse various implementations of JavaScript for execution.
attack.mitre.org →
Why these techniques?

The stored XSS allows unauthenticated attackers to submit malicious payloads to the public-facing form (T1190 Exploit Public-Facing Application), which stores and executes arbitrary JavaScript in the admin browser context upon viewing entries (T1059.007 JavaScript).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

The Gravity Forms plugin for WordPress is vulnerable to Unauthenticated Stored Cross-Site Scripting in versions up to and including 2.10.0. This is due to insufficient input validation and output escaping of Calculation Product field product names when rendered inside Repeater…

more

fields. The validate() method in the GF_Field_Calculation class only validates the quantity field (.3) and completely ignores the product name field (.1), allowing malicious HTML to pass through validation. When the value is saved, the sanitize_entry_value() method returns the raw value without sanitization for fields where HTML is not expected. Subsequently, when an entry is viewed in wp-admin, the get_value_entry_detail() method concatenates the unescaped product name directly into the output string, which is then rendered by the repeater's get_value_entry_detail() method without further escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts via form submissions that will execute whenever an authenticated administrator with the gravityforms_view_entries capability accesses the entry detail page.

Deeper analysisAI

CVE-2026-5112 is an unauthenticated stored Cross-Site Scripting (XSS) vulnerability, mapped to CWE-79, affecting the Gravity Forms plugin for WordPress in versions up to and including 2.10.0. The flaw arises from insufficient input validation and output escaping of Calculation Product field product names when rendered inside Repeater fields. The validate() method in the GF_Field_Calculation class only validates the quantity field (.3) and ignores the product name field (.1), permitting malicious HTML to bypass checks. When saved, the sanitize_entry_value() method returns the raw value unsanitized for fields not expecting HTML. Later, get_value_entry_detail() concatenates the unescaped product name into output, which the repeater's get_value_entry_detail() renders without further escaping.

Unauthenticated attackers can exploit this vulnerability by submitting forms with arbitrary web scripts embedded in the Calculation Product field product name. The payloads store in the database and execute whenever an authenticated administrator possessing the gravityforms_view_entries capability views the entry detail page in wp-admin. This achieves script execution in the administrator's browser context, with a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N), enabling potential account takeover or further site compromise.

Advisories and patches are detailed in the Gravity Forms changelog at https://docs.gravityforms.com/gravityforms-change-log/ and the Wordfence threat intelligence report at https://www.wordfence.com/threat-intel/vulnerabilities/id/63973f61-81f0-4fc8-810c-a15734ff824e?source=cve, which cover remediation steps for affected installations.

Details

CWE(s)
CWE-79

Affected Products

Gravityforms
inferred from references and description; NVD did not file a CPE for this CVE

CVEs Like This One

CVE-2026-2101Shared CWE-79
CVE-2024-26006Shared CWE-79
CVE-2025-7760Shared CWE-79
CVE-2026-24948Shared CWE-79
CVE-2025-22709Shared CWE-79
CVE-2026-27614Shared CWE-79
CVE-2025-23689Shared CWE-79
CVE-2025-23760Shared CWE-79
CVE-2025-28935Shared CWE-79
CVE-2025-25087Shared CWE-79

References