Vulnerability Description
The Gravity Forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Consent field hidden inputs in versions up to and including 2.10.0. This is due to a flawed state validation mechanism that fails open when input is sanitized by wp_kses(), combined with insufficient output escaping. The state validation logic creates two hashes (raw input and wp_kses-sanitized input) and only fails validation if BOTH hashes don't match the original state. When an attacker injects XSS payloads using tags stripped by wp_kses() (like <svg>), the sanitized hash matches while the malicious raw value is preserved and saved to the database. When administrators view the Entries List page, the stored malicious consent label is retrieved and output without escaping, causing the XSS payload to execute. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in entries that will execute whenever an authenticated administrator accesses the entries list page.
CVSS Score
HIGH
Related Weaknesses (CWE)
References
- https://docs.gravityforms.com/gravityforms-change-log/
- https://www.wordfence.com/threat-intel/vulnerabilities/id/5890c0f1-f549-4076-9d5
FAQ
What is CVE-2026-5113?
CVE-2026-5113 is a vulnerability with a CVSS score of 7.2 (HIGH). The Gravity Forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Consent field hidden inputs in versions up to and including 2.10.0. This is due to a flawed state validation mec...
How severe is CVE-2026-5113?
CVE-2026-5113 has been rated HIGH with a CVSS base score of 7.2/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-5113?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.