Cyber Resilience

CVE-2026-5113

High

Published: 02 May 2026

Published
02 May 2026
Modified
05 May 2026
KEV Added
Patch
CVSS Score v3.1 7.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
EPSS Score 0.0002 6.2th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-5113 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Gravityforms (inferred from references). Its CVSS base score is 7.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 6.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).

Deeper analysis

CVE-2026-5113 is a Stored Cross-Site Scripting (XSS) vulnerability, classified under CWE-79, in the Gravity Forms plugin for WordPress, affecting versions up to and including 2.10.0. The flaw occurs in Consent field hidden inputs due to a flawed state validation mechanism that fails open during sanitization by wp_kses(), paired with insufficient output escaping. The validation generates two hashes—one for raw input and one for wp_kses()-sanitized input—and only rejects if both differ from the original state, allowing payloads with tags stripped by wp_kses() (e.g., <svg>) to bypass checks while preserving the malicious raw value in the database.

Unauthenticated attackers can exploit this vulnerability over the network with low complexity, no privileges, and no user interaction required, achieving a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N). By submitting crafted entries, attackers inject arbitrary web scripts that execute when authenticated administrators access the Entries List page, as the stored malicious consent label is retrieved and output without escaping in the administrator's browser.

Mitigation details are available in the Gravity Forms change log at https://docs.gravityforms.com/gravityforms-change-log/ and Wordfence threat intelligence advisory at https://www.wordfence.com/threat-intel/vulnerabilities/id/5890c0f1-f549-4076-9d57-74f5eaffdcb3?source=cve.

EU & UK References

Vulnerability details

The Gravity Forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Consent field hidden inputs in versions up to and including 2.10.0. This is due to a flawed state validation mechanism that fails open when input is sanitized…

more

by wp_kses(), combined with insufficient output escaping. The state validation logic creates two hashes (raw input and wp_kses-sanitized input) and only fails validation if BOTH hashes don't match the original state. When an attacker injects XSS payloads using tags stripped by wp_kses() (like <svg>), the sanitized hash matches while the malicious raw value is preserved and saved to the database. When administrators view the Entries List page, the stored malicious consent label is retrieved and output without escaping, causing the XSS payload to execute. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in entries that will execute whenever an authenticated administrator accesses the entries list page.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.007 JavaScript Execution
Adversaries may abuse various implementations of JavaScript for execution.
Why these techniques?

Stored XSS in public-facing WordPress plugin directly enables T1190 (exploit public-facing application) via unauthenticated form submission and facilitates T1059.007 (JavaScript) by executing arbitrary scripts in admin browser context.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-3231Shared CWE-79
CVE-2025-23481Shared CWE-79
CVE-2025-69302Shared CWE-79
CVE-2025-23734Shared CWE-79
CVE-2025-23571Shared CWE-79
CVE-2025-65110Shared CWE-79
CVE-2026-24948Shared CWE-79
CVE-2025-27352Shared CWE-79
CVE-2025-30349Shared CWE-79
CVE-2026-3876Shared CWE-79

Affected Assets

Gravityforms
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-10 enforces validation of inputs to reject XSS payloads, directly countering the flawed state validation mechanism that fails open and allows malicious raw values to be stored in consent fields.

prevent

SI-15 requires filtering of output prior to display, preventing execution of stored XSS payloads when administrators retrieve and view unescaped consent labels on the Entries List page.

prevent

SI-2 mandates timely identification, reporting, and remediation of software flaws like this stored XSS vulnerability in the Gravity Forms plugin through patching.

References