Stored Cross-Site Scripting Vulnerability in Gravity Forms for WordPress
CVE-2026-5110

7.2HIGH

Key Information:

Vendor: WordPress
Status: Gravity Forms
Vendor: CVE Published:; 2 May 2026

What is CVE-2026-5110?

The Gravity Forms plugin for WordPress is susceptible to an unauthenticated stored cross-site scripting vulnerability in versions up to and including 2.10.0. This flaw originates from inadequate input validation and output escaping in the SingleProduct field when utilized within a Repeater field. The validation mechanism, which typically safeguards against unauthorized alterations, can be bypassed, allowing attackers to inject malicious HTML and JavaScript into the product name field. As a consequence, this injected code is saved directly to the database without sanitization. When administrators later access these entries, the injected scripts are executed in their browsers, enabling potential exploitation by unauthenticated attackers.

Affected Version(s)

Gravity Forms 0 <= 2.10.0

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://docs.gravityforms.com/gravityforms-change-log/

CVSS V3.1

Score:

7.2

Severity:

HIGH

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 2, 2026
Vulnerability Reserved
Mar 29, 2026

Credit

tadokun

CVE-2026-5110 Data

JSON