CVE-2026-5109: Gravity Forms WordPress Plugin XSS Flaw

CVE-2026-5109 Overview

CVE-2026-5109 is a Stored Cross-Site Scripting (XSS) vulnerability affecting the Gravity Forms plugin for WordPress in versions up to and including 2.10.0. The flaw resides in the handling of Product Option field values, where the state validation function accepts submitted values whose wp_kses()-sanitized form matches a legitimate option, while the database stores the raw unsanitized input. When an administrator opens the Order Summary view, the option_label is rendered without escaping at view-order-summary.php line 32. Unauthenticated attackers can submit crafted form data that executes arbitrary JavaScript in the administrator's browser session.

Critical Impact

Unauthenticated attackers can inject persistent JavaScript that executes in administrator sessions, enabling account takeover, privilege abuse, and site compromise through form submissions.

Affected Products

• Gravity Forms plugin for WordPress versions up to and including 2.10.0
• WordPress sites using Product Option fields in Gravity Forms
• Any administrator account that views entry details via the Order Summary section

Discovery Timeline

• 2026-05-02 - CVE-2026-5109 published to NVD
• 2026-05-05 - Last updated in NVD database

Technical Details for CVE-2026-5109

Vulnerability Analysis

The vulnerability is a stored XSS issue classified under [CWE-79]. Gravity Forms validates submitted Product Option values by comparing the wp_kses()-sanitized version of user input against the legitimate option values configured for the field. The comparison passes if the sanitized form matches, but the plugin persists the original unsanitized payload to the database. Attackers exploit this mismatch by submitting values that contain script content which survives storage but is filtered during validation.

When an administrator later reviews the submission, the Order Summary template at view-order-summary.php line 32 outputs the stored option_label directly into the HTML without applying esc_html() or equivalent escaping. The browser parses the embedded JavaScript and executes it under the administrator's authenticated session, giving the attacker code execution in the WordPress admin context.

Root Cause

The root cause is an inconsistency between input validation and data storage. Sanitization is applied only to a comparison copy, not to the value committed to the database. Combined with the missing output escaping in the Order Summary view, this dual flaw produces a reliable stored XSS chain reachable without authentication.

Attack Vector

The attack is performed remotely over the network by an unauthenticated user submitting a public form that contains a Product Option field. The attacker manipulates the option field value with crafted markup whose wp_kses()-sanitized form matches a legitimate option label. The payload remains dormant until an administrator opens the entry details page, at which point the script executes with administrator privileges in the browser.

The vulnerability mechanism is described in the Wordfence Vulnerability Intel advisory and the Gravity Forms Change Log.

Detection Methods for CVE-2026-5109

Indicators of Compromise

• Gravity Forms entries containing <script>, onerror=, onload=, or other HTML event-handler syntax in Product Option field values
• Unexpected administrator session activity (new users created, plugin installations, settings changes) following Order Summary page views
• Outbound requests from admin browsers to unfamiliar domains after viewing form entries

Detection Strategies

• Audit the wp_gf_entry_meta and related Gravity Forms entry tables for stored values containing HTML or JavaScript syntax
• Inspect web server access logs for POST requests to Gravity Forms submission endpoints with payloads containing <, >, or encoded script tags in option fields
• Compare submitted Product Option values against the configured legitimate option labels for the form to flag mismatches

Monitoring Recommendations

• Enable Content Security Policy (CSP) headers on WordPress admin pages to restrict inline script execution and flag policy violations
• Monitor administrator account actions in the WordPress audit log for unexpected privilege changes after viewing form entries
• Alert on creation of new administrator accounts, plugin installs, or theme edits originating from sessions that recently accessed /wp-admin/admin.php?page=gf_entries

How to Mitigate CVE-2026-5109

Immediate Actions Required

• Update the Gravity Forms plugin to the latest version above 2.10.0 that contains the security fix as documented in the Gravity Forms Change Log
• Review all existing form entries for stored payloads and purge or sanitize any entries containing script content before administrators view them
• Rotate administrator credentials and invalidate active WordPress sessions if there is evidence administrators viewed suspicious entries

Patch Information

Gravity Forms has released a patched version that addresses both the validation inconsistency in the Product Option state check and the missing output escaping in view-order-summary.php. Site operators should consult the Gravity Forms Change Log for the exact fixed version and apply the update through the WordPress plugin manager or via the vendor's automatic update mechanism.

Workarounds

• Temporarily disable forms that include Product Option fields until the patched plugin version is installed
• Restrict access to the WordPress admin entries page using a web application firewall (WAF) rule that blocks requests containing script syntax in Gravity Forms submission parameters
• Apply a WAF virtual patch that rejects form submissions where Product Option values contain <, >, or HTML event-handler attributes

# Example WAF rule (ModSecurity) blocking script content in Gravity Forms submissions
SecRule ARGS_NAMES "@rx ^input_[0-9]+" \
  "chain,phase:2,deny,status:403,id:1026510901,msg:'Possible CVE-2026-5109 XSS payload in Gravity Forms field'"
  SecRule ARGS "@rx (?i)(<script|onerror=|onload=|javascript:)" "t:none,t:urlDecodeUni"