CVE-2026-5111: Gravity Forms Plugin Hit by Stored XSS

/HIGH /CVSS 7.2/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvehigh-severitycross-site-scripting-xsscwe-79
CVE-2026-5111: Gravity Forms Plugin Hit by Stored XSS

The Gravity Forms plugin for WordPress, in versions up to and including 2.10.0, is vulnerable to a high-severity Stored Cross-Site Scripting (XSS) flaw, identified as CVE-2026-5111. The National Vulnerability Database reports this vulnerability stems from inadequate input validation and output escaping on “Hidden Product” field values when these are nested within “Repeater” fields. Subfields in repeaters bypass critical state validation checks, and the validate() method for “Hidden Product” only checks the quantity, completely ignoring the product name.

This oversight allows unauthenticated attackers to inject arbitrary web scripts through form submissions. These scripts then execute whenever an administrator views the affected entry details. Given the unauthenticated nature of the attack and its impact on administrators, The National Vulnerability Database assigns this a CVSS score of 7.2 (HIGH), highlighting the significant risk of client-side compromise for WordPress sites using vulnerable Gravity Forms installations.

Attackers can leverage this to steal session cookies, deface pages, or redirect administrators to malicious sites, potentially leading to full site compromise. Defenders need to recognize that XSS, especially stored XSS, is a persistent threat that can turn seemingly innocuous form submissions into vectors for administrative control. The attacker’s calculus here is simple: target a widely used plugin, find a validation bypass, and wait for an admin to trigger the payload.

What This Means For You

  • If your WordPress site uses the Gravity Forms plugin, you are exposed. Immediately identify all installations running versions up to and including 2.10.0. Patch to the latest secure version without delay. Audit your Gravity Forms entries for any suspicious script injections in "Hidden Product" fields, especially those within "Repeater" fields. This is a direct path for unauthenticated attackers to compromise administrator sessions.

Related ATT&CK Techniques

T1190 Exploit Public-Facing Application Initial Access T1059.007 Web Protocols Execution T1189 Drive-by Compromise Initial Access

🛡️ Detection Rules

2 rules · 6 SIEM formats

2 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

high T1190 Initial Access

CVE-2026-5111: Gravity Forms Stored XSS via Hidden Product Field

Sigma YAML — free preview 
title: CVE-2026-5111: Gravity Forms Stored XSS via Hidden Product Field
id: scw-2026-05-02-ai-1
status: experimental
level: high
description: |
  Detects potential exploitation of CVE-2026-5111 by looking for Gravity Forms plugin AJAX requests to save form settings that include parameters indicative of the vulnerable hidden product field. This rule targets the initial injection vector where an attacker might submit a form with malicious script payloads in the hidden product field, which are later rendered unescaped when an administrator views the entry details.
author: SCW Feed Engine (AI-generated)
date: 2026-05-02
references:
  - https://shimiscyberworld.com/posts/nvd-CVE-2026-5111/
tags:
  - attack.initial_access
  - attack.t1190
logsource:
    category: webserver
detection:
  selection:
      cs-uri|contains:
          - '/wp-admin/admin-ajax.php'
      cs-uri-query|contains:
          - 'action=gravityforms_save_form_settings'
      cs-method:
          - 'POST'
      referer|contains:
          - '/wp-admin/'
  selection_payload:
      cs-uri-query|contains:
          - 'hidden_product_field_name'
      condition: selection AND selection_payload
falsepositives:
  - Legitimate administrative activity

Source: Shimi's Cyber World · License & reuse

✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM →

Indicators of Compromise

IDTypeIndicator
CVE-2026-5111 XSS Gravity Forms plugin for WordPress versions <= 2.10.0
CVE-2026-5111 XSS Insufficient input validation and output escaping on Hidden Product field values within Repeater fields
CVE-2026-5111 XSS Vulnerable component: get_value_entry_detail() method

Written by SCW Vulnerability Desk

Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedMay 02, 2026 at 09:16 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related coverage

ARMember WordPress Plugin Vulnerable to SQL Injection

CVE-2026-7649 — The ARMember – Membership Plugin, Content Restriction, Member Levels, User Profile & User signup plugin for WordPress is vulnerable to time-based blind SQL...

vulnerabilityCVEhigh-severitysql-injectioncwe-89
/SCW Vulnerability Desk /HIGH /7.5 /⚑ 4 IOCs /⚙ 3 Sigma

TRENDnet TEW-821DAP Buffer Overflow (CVE-2026-7607) Poses Risk to EOL Devices

CVE-2026-7607 — A security vulnerability has been detected in TRENDnet TEW-821DAP 1.12B01. Impacted is the function auto_update_firmware of the component Firmware Udpate. The manipulation of...

vulnerabilityCVEhigh-severitybuffer-overflowcwe-119cwe-120
/SCW Vulnerability Desk /HIGH /8.8 /⚑ 3 IOCs /⚙ 2 Sigma

CVE-2026-6457 — SQL Injection

CVE-2026-6457 — The Geo Mashup plugin for WordPress is vulnerable to time-based blind SQL Injection via the 'geo_mashup_null_fields' parameter in all versions up to, and...

vulnerabilityCVEmedium-severitysql-injectioncwe-89
/SCW Vulnerability Desk /MEDIUM /6.5 /⚑ 2 IOCs /⚙ 3 Sigma