https://feed.craftedsignal.io/products/gravity-forms-plugin--2.10.0/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioSat, 02 May 2026 06:16:04 +0000https://feed.craftedsignal.io/briefs/2026-05-gravityforms-xss/Sat, 02 May 2026 06:16:04 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-05-gravityforms-xss/The Gravity Forms plugin for WordPress is vulnerable to stored cross-site scripting (XSS) via Consent field hidden inputs, allowing unauthenticated attackers to inject arbitrary web scripts that execute when an administrator views the entries list page.The Gravity Forms plugin for WordPress, a popular form builder, contains a stored cross-site scripting (XSS) vulnerability identified as CVE-2026-5113. This flaw affects versions up to and including 2.10.0. The vulnerability stems from a flawed state validation mechanism combined with insufficient output escaping within the Consent field’s hidden inputs. An unauthenticated attacker can exploit this by injecting malicious JavaScript code into form entries. This malicious code is then executed when an authenticated administrator accesses the Entries List page within the WordPress administration panel, potentially leading to account compromise or other malicious actions performed within the administrator’s session. Successful exploitation allows attackers to execute arbitrary web scripts in the context of an administrator’s browser.

Attack Chain

1. An unauthenticated attacker crafts a malicious payload containing XSS code within a Gravity Forms Consent field. The payload leverages HTML tags like <svg> that wp_kses() will strip.
2. The attacker submits the crafted form entry to the WordPress site.
3. The Gravity Forms plugin’s state validation mechanism calculates two hashes: one for the raw input and another after sanitization via wp_kses().
4. Due to the nature of the XSS payload, the wp_kses() function strips the <svg> tag, resulting in a matching hash for the sanitized input.
5. The flawed validation logic fails to detect the malicious intent because at least one hash matches the original state, allowing the malicious raw value (containing the XSS payload) to be stored in the database.
6. An authenticated administrator logs into the WordPress administration panel.
7. The administrator navigates to the Entries List page for the affected Gravity Form.
8. The stored malicious consent label is retrieved from the database and output without proper escaping, causing the XSS payload to execute within the administrator’s browser session.

Impact

Successful exploitation of CVE-2026-5113 allows unauthenticated attackers to execute arbitrary web scripts within the context of an authenticated administrator’s browser session. This can lead to a variety of malicious outcomes, including account compromise, data theft, modification of website content, or further propagation of the attack to other administrative users. The severity of the impact depends on the privileges held by the compromised administrator account.

Recommendation

• Upgrade the Gravity Forms plugin to the latest version, which includes a fix for CVE-2026-5113.
• Implement a Web Application Firewall (WAF) rule to filter out requests containing potentially malicious XSS payloads targeting the Gravity Forms Consent field.
• Monitor web server logs for suspicious activity related to form submissions containing encoded or obfuscated JavaScript code. Analyze HTTP request parameters for unusual characters or patterns indicative of XSS attempts.
• Enable output escaping on form entries to prevent stored XSS attacks.

]]>mediumadvisoryxsswordpressgravityformscve-2026-5113stored-xsshttps://feed.craftedsignal.io/briefs/2024-01-gravity-forms-xss/Wed, 03 Jan 2024 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-gravity-forms-xss/The Gravity Forms plugin for WordPress is vulnerable to unauthenticated stored cross-site scripting (XSS) in versions up to 2.10.0, allowing attackers to inject arbitrary JavaScript code into the product name field within repeater fields, which executes when an administrator views the affected entry.The Gravity Forms plugin, a widely used WordPress plugin, is susceptible to an unauthenticated stored cross-site scripting (XSS) vulnerability. This flaw, identified as CVE-2026-5110, affects versions up to and including 2.10.0. The vulnerability stems from inadequate input validation and output escaping specifically within the SingleProduct field when it is nested inside a Repeater field. This bypasses normal state validation, allowing attackers to inject malicious HTML and JavaScript into the product name field. The injected payload is then stored unsanitized in the database. This vulnerability allows unauthenticated attackers to inject arbitrary web scripts that execute whenever an administrator accesses an entry containing the malicious payload through the WordPress admin interface.

Attack Chain

1. An unauthenticated attacker crafts a malicious request to a WordPress endpoint utilizing the Gravity Forms plugin.
2. The attacker injects arbitrary HTML and JavaScript into the ‘product name’ field (input .1) of a SingleProduct field nested within a Repeater field.
3. Due to insufficient validation within the validate_subfield() method, the malicious input bypasses the state validation mechanism (failed_state_validation()).
4. The sanitize_entry_value() method returns the raw, unsanitized value because HTML is not expected for the affected field type.
5. The malicious input is stored in the WordPress database without proper sanitization or escaping.
6. An administrator accesses the Gravity Forms entries page in the WordPress admin interface (wp-admin/admin.php?page=gf_entries).
7. The get_value_entry_detail() method retrieves the malicious product name from the database and outputs it without proper escaping.
8. The stored XSS payload executes in the administrator’s browser, potentially allowing the attacker to perform actions with the administrator’s privileges.

Impact

Successful exploitation of this vulnerability allows an unauthenticated attacker to execute arbitrary JavaScript code in the context of an administrator’s browser session. This can lead to account compromise, data theft, or further malicious activities within the WordPress administration panel. The vulnerability affects all users of the Gravity Forms plugin on WordPress installations with versions up to and including 2.10.0.

Recommendation

• Upgrade the Gravity Forms plugin to the latest version (greater than 2.10.0) to patch CVE-2026-5110.
• Deploy the provided Sigma rule Detect Gravity Forms XSS Attempt to identify potential exploitation attempts by monitoring for specific patterns in HTTP requests.
• Enable web server logging to capture detailed information about HTTP requests and responses, enabling the Sigma rule’s effectiveness.

]]>mediumadvisoryxsswordpressgravityforms