CVE-2026-5111 Overview
CVE-2026-5111 is a Stored Cross-Site Scripting (XSS) vulnerability in the Gravity Forms plugin for WordPress, affecting versions up to and including 2.10.0. The flaw resides in the handling of Hidden Product fields placed inside Repeater fields, where insufficient input validation and output escaping allow unauthenticated attackers to inject arbitrary JavaScript through public form submissions. The injected script executes when an administrator opens the entry detail view in the WordPress admin dashboard. The issue is tracked under CWE-79 and carries a CVSS 3.1 score of 7.2.
Critical Impact
Unauthenticated attackers can persist JavaScript payloads in form entries that execute in administrator browser sessions, enabling session theft, account takeover, or further WordPress compromise.
Affected Products
- Gravity Forms plugin for WordPress versions up to and including 2.10.0
- WordPress sites with Repeater fields containing Hidden Product fields
- Any administrator account that views Gravity Forms entry details on affected installations
Discovery Timeline
- 2026-05-02 - CVE-2026-5111 published to NVD
- 2026-05-05 - Last updated in NVD database
Technical Details for CVE-2026-5111
Vulnerability Analysis
The vulnerability is a stored XSS issue rooted in two cooperating defects within Gravity Forms. Repeater subfields bypass the plugin's standard state validation checks, which normally prevent tampering with read-only field values such as Hidden Product fields. Without that protection, an attacker can submit arbitrary content for the product name portion of a Hidden Product field even though the field is intended to carry server-defined values.
The second defect is in the validate() method of the Hidden Product field. The method only validates the quantity component and ignores the product name component. The unvalidated product name is later rendered by the get_value_entry_detail() method without proper output escaping. When an administrator opens the entry in the WordPress dashboard, the injected payload executes in the administrator's authenticated session.
Because exploitation requires no authentication and no user interaction beyond an administrator viewing entries, attackers can target any public form built with vulnerable versions. Successful exploitation can lead to admin session hijacking, plugin or theme modification, creation of rogue administrator accounts, or pivoting to additional WordPress compromise.
Root Cause
The root cause is twofold: Repeater subfields skip the field state validation that protects hidden field integrity, and the Hidden Product validate() routine performs incomplete validation by checking only the quantity field. Output escaping is also missing in get_value_entry_detail(), allowing stored payloads to render as live HTML.
Attack Vector
An unauthenticated attacker submits a crafted form on a vulnerable site. The form includes a Repeater field containing a Hidden Product field whose product name parameter carries a JavaScript payload. The plugin accepts and stores the malicious value. When an administrator later reviews the form entry, the payload executes in the context of the WordPress admin origin.
No verified exploit code is publicly available. Refer to the Wordfence Vulnerability Report for additional technical details.
Detection Methods for CVE-2026-5111
Indicators of Compromise
- Gravity Forms entries containing HTML or JavaScript markup such as <script>, onerror=, or onload= inside Hidden Product field values
- Unexpected outbound requests originating from /wp-admin/ pages when administrators view form entries
- New or modified WordPress administrator accounts created shortly after entry review activity
- Form submissions referencing Repeater fields with anomalous product name strings
Detection Strategies
- Audit the wp_gf_entry_meta and related Gravity Forms tables for entries whose Hidden Product field values contain angle brackets, event handlers, or JavaScript URI schemes
- Monitor WordPress admin sessions for script-driven actions such as user creation, role changes, or plugin installation that occur during entry review workflows
- Inspect web server access logs for POST requests to Gravity Forms submission endpoints carrying suspicious payloads in repeater subfield parameters
Monitoring Recommendations
- Enable Content Security Policy (CSP) reporting in the WordPress admin to surface inline script execution from stored entry data
- Forward WordPress audit logs and web server logs to a centralized SIEM and alert on administrative changes following entry views
- Track Gravity Forms plugin version across all WordPress sites and flag installations at or below 2.10.0
How to Mitigate CVE-2026-5111
Immediate Actions Required
- Update the Gravity Forms plugin to a version above 2.10.0 that addresses CVE-2026-5111, per the Gravity Forms Change Log
- Review existing form entries for stored payloads and sanitize or delete entries containing script content before administrators open them
- Restrict administrator access to entry detail screens until the plugin is patched
Patch Information
Gravity Forms has issued a fix in a release subsequent to 2.10.0. Consult the Gravity Forms Change Log for the specific patched version and apply the update across all WordPress installations using the plugin. Verify the upgrade by confirming the installed version in the WordPress plugins screen.
Workarounds
- Temporarily disable forms that combine Repeater fields with Hidden Product fields until the plugin is updated
- Deploy a Web Application Firewall (WAF) rule to block form submissions containing HTML or JavaScript markup in Hidden Product field parameters
- Apply a strict Content Security Policy on /wp-admin/ to prevent inline script execution from stored entry content
# Example WP-CLI commands to inventory and update Gravity Forms
wp plugin get gravityforms --field=version
wp plugin update gravityforms
wp plugin list --status=active --format=table
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
