Stored Cross-Site Scripting in Gravity Forms Plugin for WordPress
CVE-2026-5109

7.2HIGH

Key Information:

Vendor: WordPress
Status: Gravity Forms
Vendor: CVE Published:; 2 May 2026

What is CVE-2026-5109?

The Gravity Forms plugin for WordPress has a vulnerability that allows unauthenticated attackers to exploit Stored Cross-Site Scripting due to insufficient validation and output escaping of Product Option field values. This flaw enables attackers to inject arbitrary JavaScript into entry data, executed when an administrator views the Order Summary section, thereby compromising the security of the admin interface. The root cause is the storage of raw unsanitized values in the database instead of sanitized ones, allowing malicious scripts to be executed upon access to entry details.

Affected Version(s)

Gravity Forms 0 <= 2.10.0

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://docs.gravityforms.com/gravityforms-change-log/

CVSS V3.1

Score:

7.2

Severity:

HIGH

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 2, 2026
Vulnerability Reserved
Mar 29, 2026

Credit

tadokun

CVE-2026-5109 Data

JSON