{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/products/gravity-forms-plugin--2.10.0/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":7.2,"id":"CVE-2026-5113"}],"_cs_exploited":false,"_cs_products":["Gravity Forms plugin \u003c= 2.10.0"],"_cs_severities":["medium"],"_cs_tags":["xss","wordpress","gravityforms","cve-2026-5113","stored-xss"],"_cs_type":"advisory","_cs_vendors":["WordPress"],"content_html":"\u003cp\u003eThe Gravity Forms plugin for WordPress, a popular form builder, contains a stored cross-site scripting (XSS) vulnerability identified as CVE-2026-5113. This flaw affects versions up to and including 2.10.0. The vulnerability stems from a flawed state validation mechanism combined with insufficient output escaping within the Consent field\u0026rsquo;s hidden inputs. An unauthenticated attacker can exploit this by injecting malicious JavaScript code into form entries. This malicious code is then executed when an authenticated administrator accesses the Entries List page within the WordPress administration panel, potentially leading to account compromise or other malicious actions performed within the administrator\u0026rsquo;s session. Successful exploitation allows attackers to execute arbitrary web scripts in the context of an administrator\u0026rsquo;s browser.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker crafts a malicious payload containing XSS code within a Gravity Forms Consent field. The payload leverages HTML tags like \u003ccode\u003e\u0026lt;svg\u0026gt;\u003c/code\u003e that \u003ccode\u003ewp_kses()\u003c/code\u003e will strip.\u003c/li\u003e\n\u003cli\u003eThe attacker submits the crafted form entry to the WordPress site.\u003c/li\u003e\n\u003cli\u003eThe Gravity Forms plugin\u0026rsquo;s state validation mechanism calculates two hashes: one for the raw input and another after sanitization via \u003ccode\u003ewp_kses()\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eDue to the nature of the XSS payload, the \u003ccode\u003ewp_kses()\u003c/code\u003e function strips the \u003ccode\u003e\u0026lt;svg\u0026gt;\u003c/code\u003e tag, resulting in a matching hash for the sanitized input.\u003c/li\u003e\n\u003cli\u003eThe flawed validation logic fails to detect the malicious intent because at least one hash matches the original state, allowing the malicious raw value (containing the XSS payload) to be stored in the database.\u003c/li\u003e\n\u003cli\u003eAn authenticated administrator logs into the WordPress administration panel.\u003c/li\u003e\n\u003cli\u003eThe administrator navigates to the Entries List page for the affected Gravity Form.\u003c/li\u003e\n\u003cli\u003eThe stored malicious consent label is retrieved from the database and output without proper escaping, causing the XSS payload to execute within the administrator\u0026rsquo;s browser session.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-5113 allows unauthenticated attackers to execute arbitrary web scripts within the context of an authenticated administrator\u0026rsquo;s browser session. This can lead to a variety of malicious outcomes, including account compromise, data theft, modification of website content, or further propagation of the attack to other administrative users. The severity of the impact depends on the privileges held by the compromised administrator account.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the Gravity Forms plugin to the latest version, which includes a fix for CVE-2026-5113.\u003c/li\u003e\n\u003cli\u003eImplement a Web Application Firewall (WAF) rule to filter out requests containing potentially malicious XSS payloads targeting the Gravity Forms Consent field.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious activity related to form submissions containing encoded or obfuscated JavaScript code. Analyze HTTP request parameters for unusual characters or patterns indicative of XSS attempts.\u003c/li\u003e\n\u003cli\u003eEnable output escaping on form entries to prevent stored XSS attacks.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-02T06:16:04Z","date_published":"2026-05-02T06:16:04Z","id":"/briefs/2026-05-gravityforms-xss/","summary":"The Gravity Forms plugin for WordPress is vulnerable to stored cross-site scripting (XSS) via Consent field hidden inputs, allowing unauthenticated attackers to inject arbitrary web scripts that execute when an administrator views the entries list page.","title":"Gravity Forms Plugin Stored XSS Vulnerability (CVE-2026-5113)","url":"https://feed.craftedsignal.io/briefs/2026-05-gravityforms-xss/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.2,"id":"CVE-2026-5110"}],"_cs_exploited":false,"_cs_products":["Gravity Forms plugin \u003c= 2.10.0"],"_cs_severities":["medium"],"_cs_tags":["xss","wordpress","gravityforms"],"_cs_type":"advisory","_cs_vendors":["WordPress"],"content_html":"\u003cp\u003eThe Gravity Forms plugin, a widely used WordPress plugin, is susceptible to an unauthenticated stored cross-site scripting (XSS) vulnerability. This flaw, identified as CVE-2026-5110, affects versions up to and including 2.10.0. The vulnerability stems from inadequate input validation and output escaping specifically within the SingleProduct field when it is nested inside a Repeater field. This bypasses normal state validation, allowing attackers to inject malicious HTML and JavaScript into the product name field. The injected payload is then stored unsanitized in the database. This vulnerability allows unauthenticated attackers to inject arbitrary web scripts that execute whenever an administrator accesses an entry containing the malicious payload through the WordPress admin interface.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker crafts a malicious request to a WordPress endpoint utilizing the Gravity Forms plugin.\u003c/li\u003e\n\u003cli\u003eThe attacker injects arbitrary HTML and JavaScript into the \u0026lsquo;product name\u0026rsquo; field (input .1) of a SingleProduct field nested within a Repeater field.\u003c/li\u003e\n\u003cli\u003eDue to insufficient validation within the \u003ccode\u003evalidate_subfield()\u003c/code\u003e method, the malicious input bypasses the state validation mechanism \u003ccode\u003e(failed_state_validation())\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003esanitize_entry_value()\u003c/code\u003e method returns the raw, unsanitized value because HTML is not expected for the affected field type.\u003c/li\u003e\n\u003cli\u003eThe malicious input is stored in the WordPress database without proper sanitization or escaping.\u003c/li\u003e\n\u003cli\u003eAn administrator accesses the Gravity Forms entries page in the WordPress admin interface (wp-admin/admin.php?page=gf_entries).\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eget_value_entry_detail()\u003c/code\u003e method retrieves the malicious product name from the database and outputs it without proper escaping.\u003c/li\u003e\n\u003cli\u003eThe stored XSS payload executes in the administrator\u0026rsquo;s browser, potentially allowing the attacker to perform actions with the administrator\u0026rsquo;s privileges.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an unauthenticated attacker to execute arbitrary JavaScript code in the context of an administrator\u0026rsquo;s browser session. This can lead to account compromise, data theft, or further malicious activities within the WordPress administration panel. The vulnerability affects all users of the Gravity Forms plugin on WordPress installations with versions up to and including 2.10.0.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the Gravity Forms plugin to the latest version (greater than 2.10.0) to patch CVE-2026-5110.\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule \u003ccode\u003eDetect Gravity Forms XSS Attempt\u003c/code\u003e to identify potential exploitation attempts by monitoring for specific patterns in HTTP requests.\u003c/li\u003e\n\u003cli\u003eEnable web server logging to capture detailed information about HTTP requests and responses, enabling the Sigma rule\u0026rsquo;s effectiveness.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-gravity-forms-xss/","summary":"The Gravity Forms plugin for WordPress is vulnerable to unauthenticated stored cross-site scripting (XSS) in versions up to 2.10.0, allowing attackers to inject arbitrary JavaScript code into the product name field within repeater fields, which executes when an administrator views the affected entry.","title":"Gravity Forms Plugin Unauthenticated Stored XSS Vulnerability","url":"https://feed.craftedsignal.io/briefs/2024-01-gravity-forms-xss/"}],"language":"en","title":"CraftedSignal Threat Feed — Gravity Forms Plugin \u003c= 2.10.0","version":"https://jsonfeed.org/version/1.1"}