Gravity Forms Plugin: Unauthenticated Stored XSS Puts WordPress Admins at Risk

/HIGH /CVSS 7.2/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvehigh-severitycross-site-scripting-xsscwe-79
Gravity Forms Plugin: Unauthenticated Stored XSS Puts WordPress Admins at Risk

The Gravity Forms plugin for WordPress, versions up to and including 2.10.0, is vulnerable to unauthenticated stored Cross-Site Scripting (XSS), as detailed by the National Vulnerability Database. This severe flaw (CVE-2026-5112, CVSS: 7.2 HIGH) stems from inadequate input validation and output escaping within the Calculation Product field, specifically when product names are rendered inside Repeater fields. Attackers don’t need authentication to exploit this.

The core issue lies in the GF_Field_Calculation class’s validate() method, which neglects to validate the product name field, allowing malicious HTML to bypass checks. Subsequently, the sanitize_entry_value() method returns this raw, unsanitized value. When an authenticated administrator later views an entry in wp-admin, the get_value_entry_detail() method concatenates the unescaped product name directly into the output. This means an attacker can inject arbitrary web scripts via form submissions.

For defenders, this is a critical vulnerability. Any administrator with gravityforms_view_entries capability who accesses an affected entry detail page will execute the attacker’s script. This allows for session hijacking, malicious redirects, or further client-side attacks, potentially leading to full compromise of the WordPress site. Patching is non-negotiable.

What This Means For You

  • If your organization uses Gravity Forms on WordPress, immediately identify all instances running versions up to and including 2.10.0. Prioritize patching to a non-vulnerable version to mitigate the unauthenticated stored XSS vulnerability (CVE-2026-5112). Audit administrator accounts and their `gravityforms_view_entries` capability, especially if you cannot patch immediately.

Related ATT&CK Techniques

T1190 Exploit Public-Facing Application Initial Access T1059.001 PowerShell Execution T1566.002 Spearphishing Attachment Initial Access

🛡️ Detection Rules

2 rules · 6 SIEM formats

2 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

high T1190 Initial Access

CVE-2026-5112: Gravity Forms Unauthenticated Stored XSS via Calculation Product Field

Sigma YAML — free preview 
title: CVE-2026-5112: Gravity Forms Unauthenticated Stored XSS via Calculation Product Field
id: scw-2026-05-02-ai-1
status: experimental
level: high
description: |
  Detects unauthenticated POST requests to the Gravity Forms AJAX endpoint used for saving form data. This specific endpoint is targeted by CVE-2026-5112 to inject malicious HTML into the product name field of Calculation Product fields within Repeater fields. This can lead to stored XSS when an administrator views the entry.
author: SCW Feed Engine (AI-generated)
date: 2026-05-02
references:
  - https://shimiscyberworld.com/posts/nvd-CVE-2026-5112/
tags:
  - attack.initial_access
  - attack.t1190
logsource:
    category: webserver
detection:
  selection:
      cs-uri|contains:
          - '/wp-admin/admin-ajax.php'
      cs-uri-query|contains:
          - 'action=gravityforms_save_form_data'
      cs-method:
          - 'POST'
  condition: selection
falsepositives:
  - Legitimate administrative activity

Source: Shimi's Cyber World · License & reuse

✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM →

Indicators of Compromise

IDTypeIndicator
CVE-2026-5112 XSS Gravity Forms plugin for WordPress versions <= 2.10.0
CVE-2026-5112 XSS Insufficient input validation and output escaping of Calculation Product field product names
CVE-2026-5112 XSS Vulnerable component: GF_Field_Calculation class, validate() method (specifically product name field .1)
CVE-2026-5112 XSS Vulnerable component: sanitize_entry_value() method returning raw value for fields where HTML is not expected
CVE-2026-5112 XSS Vulnerable component: get_value_entry_detail() method concatenating unescaped product name into output string

Written by SCW Vulnerability Desk

Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedMay 02, 2026 at 09:16 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related coverage

ARMember WordPress Plugin Vulnerable to SQL Injection

CVE-2026-7649 — The ARMember – Membership Plugin, Content Restriction, Member Levels, User Profile & User signup plugin for WordPress is vulnerable to time-based blind SQL...

vulnerabilityCVEhigh-severitysql-injectioncwe-89
/SCW Vulnerability Desk /HIGH /7.5 /⚑ 4 IOCs /⚙ 3 Sigma

TRENDnet TEW-821DAP Buffer Overflow (CVE-2026-7607) Poses Risk to EOL Devices

CVE-2026-7607 — A security vulnerability has been detected in TRENDnet TEW-821DAP 1.12B01. Impacted is the function auto_update_firmware of the component Firmware Udpate. The manipulation of...

vulnerabilityCVEhigh-severitybuffer-overflowcwe-119cwe-120
/SCW Vulnerability Desk /HIGH /8.8 /⚑ 3 IOCs /⚙ 2 Sigma

CVE-2026-6457 — SQL Injection

CVE-2026-6457 — The Geo Mashup plugin for WordPress is vulnerable to time-based blind SQL Injection via the 'geo_mashup_null_fields' parameter in all versions up to, and...

vulnerabilityCVEmedium-severitysql-injectioncwe-89
/SCW Vulnerability Desk /MEDIUM /6.5 /⚑ 2 IOCs /⚙ 3 Sigma