CVE-2026-5113

HIGH EPSS 14.8%
Published May 2, 20262mo ago · Modified Jun 17, 20262w ago
7.2 CVSS 3.1
High
Find Similar
Published May 2, 2026 2mo ago
Last Modified Jun 17, 2026 2w ago

Description

The Gravity Forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Consent field hidden inputs in versions up to and including 2.10.0. This is due to a flawed state validation mechanism that fails open when input is sanitized by wp_kses(), combined with insufficient output escaping. The state validation logic creates two hashes (raw input and wp_kses-sanitized input) and only fails validation if BOTH hashes don't match the original state. When an attacker injects XSS payloads using tags stripped by wp_kses() (like <svg>), the sanitized hash matches while the malicious raw value is preserved and saved to the database. When administrators view the Entries List page, the stored malicious consent label is retrieved and output without escaping, causing the XSS payload to execute. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in entries that will execute whenever an authenticated administrator accesses the entries list page.

CVSS Details

Base Score
7.2
Exploitability
3.9
Impact
2.7
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction None
Scope Changed
Confidentiality Low
Integrity Low
Availability None

Threat Intelligence

EPSS Exploit Probability
14.8% percentile
Exploit & Patch Status
No Known Exploit
No Patch Available

Weaknesses 1

CWE-79 Cross-site Scripting Injection

References 2

  • docs.gravityforms.com https://docs.gravityforms.com/gravityforms-change-log/
  • wordfence.com https://www.wordfence.com/threat-intel/vulnerabilities/id/5890c0f1-f549-4076-9d57-74f5eaffdcb3?source=cve

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.