CVE-2026-5113
Published: 02 May 2026
Summary
CVE-2026-5113 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Gravityforms (inferred from references). Its CVSS base score is 7.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 6.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Deeper analysis
CVE-2026-5113 is a Stored Cross-Site Scripting (XSS) vulnerability, classified under CWE-79, in the Gravity Forms plugin for WordPress, affecting versions up to and including 2.10.0. The flaw occurs in Consent field hidden inputs due to a flawed state validation mechanism that fails open during sanitization by wp_kses(), paired with insufficient output escaping. The validation generates two hashes—one for raw input and one for wp_kses()-sanitized input—and only rejects if both differ from the original state, allowing payloads with tags stripped by wp_kses() (e.g., <svg>) to bypass checks while preserving the malicious raw value in the database.
Unauthenticated attackers can exploit this vulnerability over the network with low complexity, no privileges, and no user interaction required, achieving a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N). By submitting crafted entries, attackers inject arbitrary web scripts that execute when authenticated administrators access the Entries List page, as the stored malicious consent label is retrieved and output without escaping in the administrator's browser.
Mitigation details are available in the Gravity Forms change log at https://docs.gravityforms.com/gravityforms-change-log/ and Wordfence threat intelligence advisory at https://www.wordfence.com/threat-intel/vulnerabilities/id/5890c0f1-f549-4076-9d57-74f5eaffdcb3?source=cve.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-26745
Vulnerability details
The Gravity Forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Consent field hidden inputs in versions up to and including 2.10.0. This is due to a flawed state validation mechanism that fails open when input is sanitized…
more
by wp_kses(), combined with insufficient output escaping. The state validation logic creates two hashes (raw input and wp_kses-sanitized input) and only fails validation if BOTH hashes don't match the original state. When an attacker injects XSS payloads using tags stripped by wp_kses() (like <svg>), the sanitized hash matches while the malicious raw value is preserved and saved to the database. When administrators view the Entries List page, the stored malicious consent label is retrieved and output without escaping, causing the XSS payload to execute. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in entries that will execute whenever an authenticated administrator accesses the entries list page.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Stored XSS in public-facing WordPress plugin directly enables T1190 (exploit public-facing application) via unauthenticated form submission and facilitates T1059.007 (JavaScript) by executing arbitrary scripts in admin browser context.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SI-10 enforces validation of inputs to reject XSS payloads, directly countering the flawed state validation mechanism that fails open and allows malicious raw values to be stored in consent fields.
SI-15 requires filtering of output prior to display, preventing execution of stored XSS payloads when administrators retrieve and view unescaped consent labels on the Entries List page.
SI-2 mandates timely identification, reporting, and remediation of software flaws like this stored XSS vulnerability in the Gravity Forms plugin through patching.