Gravity Forms Plugin: Unauthenticated Stored XSS in WordPress

/HIGH /CVSS 7.2/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvehigh-severitycross-site-scripting-xsscwe-79
Gravity Forms Plugin: Unauthenticated Stored XSS in WordPress

The Gravity Forms plugin for WordPress, in versions up to and including 2.10.0, is exposed to an unauthenticated stored Cross-Site Scripting (XSS) vulnerability, identified as CVE-2026-5110. This flaw stems from inadequate input validation and output escaping within the SingleProduct field when it’s nested inside a Repeater field. The validation mechanism bypasses critical state checks, allowing an attacker to inject arbitrary HTML and JavaScript into the product name field.

According to the National Vulnerability Database, the validate_subfield() method in this specific configuration only validates the quantity field, completely overlooking the product name. This allows malicious input to be saved directly to the database without sanitization. When an administrator views an entry containing this payload, the get_value_entry_detail() method outputs the product name unescaped, leading to the execution of the stored XSS in the administrator’s browser.

This is a high-severity issue, rated 7.2 CVSS, enabling unauthenticated attackers to execute arbitrary web scripts in an administrator’s session. The attacker’s calculus is straightforward: target sites running vulnerable Gravity Forms versions, inject a payload, and wait for an admin to trigger it. This can lead to session hijacking, defacement, or further compromise of the WordPress environment.

What This Means For You

  • If your organization uses Gravity Forms, immediately check your plugin version. Any installation up to and including 2.10.0 is vulnerable to CVE-2026-5110. Patch this vulnerability without delay. Beyond patching, review administrator access logs for any suspicious activity around the time of the XSS discovery, as a successful exploit grants an attacker significant control over the WordPress admin panel.

Related ATT&CK Techniques

T1190 Exploit Public-Facing Application Initial Access T1059.007 Command and Scripting Interpreter: JavaScript Execution T1566.002 Phishing: Spearphishing Link Initial Access

🛡️ Detection Rules

3 rules · 6 SIEM formats

3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

high T1190 Initial Access

CVE-2026-5110: Gravity Forms Unauthenticated Stored XSS via SingleProduct in Repeater

Sigma YAML — free preview 
title: CVE-2026-5110: Gravity Forms Unauthenticated Stored XSS via SingleProduct in Repeater
id: scw-2026-05-02-ai-1
status: experimental
level: high
description: |
  This rule detects attempts to exploit CVE-2026-5110 by identifying requests that access the Gravity Forms entries page ('gf_entries') and contain a 'product_name' parameter in the query string. This specific pattern indicates an attacker attempting to view or inject malicious JavaScript into the product name field, which is then stored and executed when an administrator views the entry.
author: SCW Feed Engine (AI-generated)
date: 2026-05-02
references:
  - https://shimiscyberworld.com/posts/nvd-CVE-2026-5110/
tags:
  - attack.initial_access
  - attack.t1190
logsource:
    category: webserver
detection:
  selection:
      cs-uri|contains:
          - '/wp-admin/admin.php?page=gf_entries'
      cs-uri-query|contains:
          - 'product_name'
      condition: selection
falsepositives:
  - Legitimate administrative activity

Source: Shimi's Cyber World · License & reuse

✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM →

Indicators of Compromise

IDTypeIndicator
CVE-2026-5110 XSS Gravity Forms plugin for WordPress versions <= 2.10.0
CVE-2026-5110 XSS Vulnerable component: SingleProduct field when used inside a Repeater field
CVE-2026-5110 XSS Vulnerable method: validate_subfield() for SingleProduct fields
CVE-2026-5110 XSS Attack vector: Injecting HTML/JavaScript into the product name field (input .1)
CVE-2026-5110 XSS Execution context: wp-admin/admin.php?page=gf_entries when administrator views entry

Written by SCW Vulnerability Desk

Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedMay 02, 2026 at 09:16 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related coverage

ARMember WordPress Plugin Vulnerable to SQL Injection

CVE-2026-7649 — The ARMember – Membership Plugin, Content Restriction, Member Levels, User Profile & User signup plugin for WordPress is vulnerable to time-based blind SQL...

vulnerabilityCVEhigh-severitysql-injectioncwe-89
/SCW Vulnerability Desk /HIGH /7.5 /⚑ 4 IOCs /⚙ 3 Sigma

TRENDnet TEW-821DAP Buffer Overflow (CVE-2026-7607) Poses Risk to EOL Devices

CVE-2026-7607 — A security vulnerability has been detected in TRENDnet TEW-821DAP 1.12B01. Impacted is the function auto_update_firmware of the component Firmware Udpate. The manipulation of...

vulnerabilityCVEhigh-severitybuffer-overflowcwe-119cwe-120
/SCW Vulnerability Desk /HIGH /8.8 /⚑ 3 IOCs /⚙ 2 Sigma

CVE-2026-6457 — SQL Injection

CVE-2026-6457 — The Geo Mashup plugin for WordPress is vulnerable to time-based blind SQL Injection via the 'geo_mashup_null_fields' parameter in all versions up to, and...

vulnerabilityCVEmedium-severitysql-injectioncwe-89
/SCW Vulnerability Desk /MEDIUM /6.5 /⚑ 2 IOCs /⚙ 3 Sigma