CVE-2026-5113: Gravity Forms XSS via Flawed Consent Field Validation

/HIGH /CVSS 7.2/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvehigh-severitycross-site-scripting-xsscwe-79
CVE-2026-5113: Gravity Forms XSS via Flawed Consent Field Validation

The National Vulnerability Database reports CVE-2026-5113, a high-severity (CVSS 7.2) Stored Cross-Site Scripting (XSS) vulnerability in the Gravity Forms plugin for WordPress, affecting versions up to and including 2.10.0. This flaw stems from an inadequate state validation mechanism within the Consent field’s hidden inputs, combined with insufficient output escaping. The core issue lies in how wp_kses() sanitization interacts with the validation logic: an attacker can inject XSS payloads using tags that wp_kses() strips (like <svg>), yet the flawed validation still passes because the sanitized hash matches the expected state, while the malicious raw input is preserved.

This means unauthenticated attackers can inject arbitrary web scripts into form entries. When an authenticated administrator later views the Entries List page, the stored malicious consent label is retrieved and executed without proper escaping. This isn’t just a nuisance; it’s a direct path for attackers to compromise administrator sessions, potentially leading to website defacement, data theft, or further system compromise through privilege escalation.

For defenders, this is a critical reminder that even seemingly robust sanitization functions like wp_kses() can be bypassed if the surrounding validation logic is weak. It highlights the importance of a defense-in-depth approach, where input validation, output encoding, and integrity checks are all rigorously applied and don’t rely on a single point of failure. This specific vulnerability is a prime example of how a ‘fail open’ state in validation can be weaponized.

What This Means For You

  • If your organization uses Gravity Forms for WordPress, you must immediately verify your plugin version. Any installation running Gravity Forms 2.10.0 or older is vulnerable. Patching this is non-negotiable to prevent unauthenticated attackers from injecting malicious scripts that execute on your administrators' browsers.

Related ATT&CK Techniques

T1190 Exploit Public-Facing Application Initial Access T1059.001 PowerShell Execution T1566.002 Spearphishing Attachment Initial Access

🛡️ Detection Rules

3 rules · 6 SIEM formats

3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

high T1190 Initial Access

CVE-2026-5113: Gravity Forms Stored XSS via Consent Field

Sigma YAML — free preview 
title: CVE-2026-5113: Gravity Forms Stored XSS via Consent Field
id: scw-2026-05-02-ai-1
status: experimental
level: high
description: |
  Detects potential exploitation of CVE-2026-5113 by identifying requests to the Gravity Forms entries page that contain a consent field type and an SVG tag, indicative of a stored XSS payload being submitted. This rule targets the specific vulnerability where unsanitized SVG tags in consent labels are rendered without escaping on the entries list page, leading to XSS execution when an administrator views the entries.
author: SCW Feed Engine (AI-generated)
date: 2026-05-02
references:
  - https://shimiscyberworld.com/posts/nvd-CVE-2026-5113/
tags:
  - attack.initial_access
  - attack.t1190
logsource:
    category: webserver
detection:
  selection:
      uri|contains:
          - '/wp-admin/admin.php?page=gf_entries'
      cs-uri-query|contains:
          - 'gf_field_type=consent'
      cs-uri-query|contains:
          - '<svg'
  condition: selection
falsepositives:
  - Legitimate administrative activity

Source: Shimi's Cyber World · License & reuse

✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM →

Indicators of Compromise

IDTypeIndicator
CVE-2026-5113 XSS Gravity Forms plugin for WordPress
CVE-2026-5113 XSS Gravity Forms plugin versions up to and including 2.10.0
CVE-2026-5113 XSS Vulnerable component: Consent field hidden inputs
CVE-2026-5113 XSS Attack vector: Injecting XSS payloads using tags stripped by wp_kses() (e.g., ) into consent labels
CVE-2026-5113 XSS Trigger: Authenticated administrator accessing the Entries List page

Written by SCW Vulnerability Desk

Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedMay 02, 2026 at 09:16 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related coverage

ARMember WordPress Plugin Vulnerable to SQL Injection

CVE-2026-7649 — The ARMember – Membership Plugin, Content Restriction, Member Levels, User Profile & User signup plugin for WordPress is vulnerable to time-based blind SQL...

vulnerabilityCVEhigh-severitysql-injectioncwe-89
/SCW Vulnerability Desk /HIGH /7.5 /⚑ 4 IOCs /⚙ 3 Sigma

TRENDnet TEW-821DAP Buffer Overflow (CVE-2026-7607) Poses Risk to EOL Devices

CVE-2026-7607 — A security vulnerability has been detected in TRENDnet TEW-821DAP 1.12B01. Impacted is the function auto_update_firmware of the component Firmware Udpate. The manipulation of...

vulnerabilityCVEhigh-severitybuffer-overflowcwe-119cwe-120
/SCW Vulnerability Desk /HIGH /8.8 /⚑ 3 IOCs /⚙ 2 Sigma

CVE-2026-6457 — SQL Injection

CVE-2026-6457 — The Geo Mashup plugin for WordPress is vulnerable to time-based blind SQL Injection via the 'geo_mashup_null_fields' parameter in all versions up to, and...

vulnerabilityCVEmedium-severitysql-injectioncwe-89
/SCW Vulnerability Desk /MEDIUM /6.5 /⚑ 2 IOCs /⚙ 3 Sigma