Unauthenticated Stored Cross-Site Scripting in Gravity Forms Plugin for WordPress
CVE-2026-5112

7.2HIGH

Key Information:

Vendor: WordPress
Status: Gravity Forms
Vendor: CVE Published:; 2 May 2026

What is CVE-2026-5112?

The Gravity Forms plugin for WordPress has a vulnerability that allows unauthenticated attackers to perform stored cross-site scripting. This issue arises from insufficient input validation and output escaping of product names in Calculation Product fields within Repeater fields. Specifically, the validation process neglects the product name field, permitting malicious HTML to bypass checks. When an entry is saved, the unsanitized value is stored, and later displayed by WordPress administrative tools without proper escaping. This flaw enables attackers to inject malicious scripts that can execute when an admin views the affected entry, compromising site security.

Affected Version(s)

Gravity Forms 0 <= 2.10.0

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://docs.gravityforms.com/gravityforms-change-log/

CVSS V3.1

Score:

7.2

Severity:

HIGH

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 2, 2026
Vulnerability Reserved
Mar 29, 2026

Credit

tadokun

CVE-2026-5112 Data

JSON