Vulnerabilities ›

CVE-2026-5113

High

CWE-79 — Weakness Type

                    Published: May 2, 2026                      ·  Modified: May 8, 2026                      ·  Source: NVD                

CVSS v3

7.2

🔗 NVD Official

📄 Description (English)

The Gravity Forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Consent field hidden inputs in versions up to and including 2.10.0. This is due to a flawed state validation mechanism that fails open when input is sanitized by wp_kses(), combined with insufficient output escaping. The state validation logic creates two hashes (raw input and wp_kses-sanitized input) and only fails validation if BOTH hashes don't match the original state. When an attacker injects XSS payloads using tags stripped by wp_kses() (like <svg>), the sanitized hash matches while the malicious raw value is preserved and saved to the database. When administrators view the Entries List page, the stored malicious consent label is retrieved and output without escaping, causing the XSS payload to execute. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in entries that will execute whenever an authenticated administrator accesses the entries list page.

🤖 AI Executive Summary

Gravity Forms WordPress plugin versions up to 2.10.0 contain a Stored Cross-Site Scripting vulnerability in Consent field hidden inputs due to flawed state validation and insufficient output escaping. Unauthenticated attackers can inject malicious scripts that execute when administrators view the Entries List page.

📄 Description (Arabic)

يحتوي مكون Gravity Forms على ثغرة Stored XSS في حقول الموافقة المخفية بسبب آلية التحقق من الحالة المعيبة التي تفشل عند استخدام wp_kses() مع عدم كفاية الهروب من الإخراج. يمكن للمهاجمين غير المصرح لهم حقن حمولات XSS باستخدام علامات يتم تجريدها بواسطة wp_kses() مثل <svg>، حيث يتم حفظ القيمة الخبيثة في قاعدة البيانات وتنفيذها عند عرض مسؤولي النظام لصفحة قائمة الإدخالات.

🤖 ملخص تنفيذي (AI)

🤖 AI Intelligence Analysis Analyzed: May 8, 2026 14:17

🇸🇦 Saudi Arabia Impact Assessment

Saudi Relevance: high

🏢 Affected Saudi Sectors

banking government healthcare

🎯 MITRE ATT&CK Techniques

T1190 T1598 T1566

⚖️ Saudi Risk Score (AI)

7.0

/ 10.0

🔧 Remediation Steps (English)

Update Gravity Forms plugin to version 2.10.1 or later immediately. Review and audit all existing form entries for suspicious consent field values. Implement Web Application Firewall (WAF) rules to detect and block XSS payloads. Restrict administrative access to Entries List page and implement additional output escaping for user-supplied content.

🔧 خطوات المعالجة (العربية)

قم بتحديث مكون Gravity Forms إلى الإصدار 2.10.1 أو أحدث فوراً. قم بمراجعة وتدقيق جميع إدخالات النماذج الموجودة للتحقق من قيم حقول الموافقة المريبة. قم بتنفيذ قواعد جدار الحماية لتطبيقات الويب لكشف وحجب حمولات XSS. قيد الوصول الإداري إلى صفحة قائمة الإدخالات وقم بتنفيذ إخراج إضافي للهروب من محتوى المستخدم.

📋 Regulatory Compliance Mapping

🟢 NCA ECC 2024

A.14.2.1 A.14.2.5

🔵 SAMA CSF

CC-6.1 CC-6.2 CC-7.2

🟡 ISO 27001:2022

A.14.2.1 A.14.2.5 A.13.1.3

🔗 References & Sources 2

🔗

https://docs.gravityforms.com/gravityforms-change-log/

security@wordfence.com

🔗

https://www.wordfence.com/threat-intel/vulnerabilities/id/5890c0f1-f549-4076-9d57-74f5e...

security@wordfence.com

📊 CVSS Score

7.2

/ 10.0 — High

📊 CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

Attack VectorN — None / Network

Attack ComplexityL — Low / Local

Privileges RequiredN — None / Network

User InteractionN — None / Network

ScopeC — Changed

ConfidentialityL — Low / Local

IntegrityL — Low / Local

AvailabilityN — None / Network

📋 Quick Facts

Severity High

CVSS Score7.2

CWECWE-79

EPSS0.01%

Exploit No

Patch ✗ No

Published 2026-05-02

Source Feed nvd

🇸🇦 Saudi Risk Score

7.0

/ 10.0 — Saudi Risk

Priority: HIGH

🏷️ Tags

CWE-79

⚡ Actions

🔗 NVD Official Page ⚡ Exploit-DB Search 🐙 GitHub PoC Search 🎯 MITRE ATT&CK 📊 CVE Details

💬 Comments

Loading comments

CVE-2026-5113

💬 Comments

Introduce Yourself

Sign In Required