{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/products/gravity-forms-plugin/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":7.2,"id":"CVE-2026-5112"}],"_cs_exploited":false,"_cs_products":["Gravity Forms plugin"],"_cs_severities":["medium"],"_cs_tags":["xss","wordpress","gravityforms"],"_cs_type":"advisory","_cs_vendors":["WordPress"],"content_html":"\u003cp\u003eThe Gravity Forms plugin for WordPress, a widely used form management tool, contains a vulnerability that can be exploited by unauthenticated attackers. Specifically, versions up to and including 2.10.0 are susceptible to Stored Cross-Site Scripting (XSS) due to insufficient input validation and output escaping of Calculation Product field names within Repeater fields. This flaw resides in how the plugin processes and renders form submissions containing malicious HTML within the product name field. The vulnerability allows an attacker to inject arbitrary web scripts that execute in the context of an authenticated administrator\u0026rsquo;s session when they access the entry detail page within the WordPress admin panel. Successful exploitation enables attackers to perform actions with the privileges of the compromised administrator.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker crafts a malicious form submission.\u003c/li\u003e\n\u003cli\u003eThe malicious payload is placed in the Calculation Product field\u0026rsquo;s product name (.1) within a Repeater field.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003evalidate()\u003c/code\u003e method in the \u003ccode\u003eGF_Field_Calculation\u003c/code\u003e class inadequately validates the product name field, failing to sanitize malicious HTML.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003esanitize_entry_value()\u003c/code\u003e method returns the raw, unsanitized value for the product name field, as HTML sanitization is not expected for this field.\u003c/li\u003e\n\u003cli\u003eThe malicious form submission is saved as an entry in WordPress.\u003c/li\u003e\n\u003cli\u003eAn authenticated administrator with the \u003ccode\u003egravityforms_view_entries\u003c/code\u003e capability accesses the entry detail page in \u003ccode\u003ewp-admin\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eget_value_entry_detail()\u003c/code\u003e method concatenates the unsanitized product name directly into the output string.\u003c/li\u003e\n\u003cli\u003eThe repeater\u0026rsquo;s \u003ccode\u003eget_value_entry_detail()\u003c/code\u003e method renders the unsanitized output, leading to the execution of the injected XSS payload within the administrator\u0026rsquo;s browser.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows an unauthenticated attacker to execute arbitrary JavaScript code within the context of an authenticated WordPress administrator\u0026rsquo;s session. This can lead to account takeover, data theft, or further malicious actions performed on the WordPress site. While the number of potentially affected sites is large due to the plugin\u0026rsquo;s popularity, the impact is limited to administrators who access the specific entry containing the malicious payload.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the Gravity Forms plugin to a version greater than 2.10.0 to patch CVE-2026-5112.\u003c/li\u003e\n\u003cli\u003eImplement the Sigma rule \u003ccode\u003eDetect Gravity Forms XSS via Product Name\u003c/code\u003e to detect attempts to inject malicious scripts into product names.\u003c/li\u003e\n\u003cli\u003eReview and audit existing Gravity Forms entries for suspicious content in Calculation Product fields to identify potential exploitation attempts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T10:00:00Z","date_published":"2024-01-03T10:00:00Z","id":"/briefs/2024-01-gravityforms-xss/","summary":"The Gravity Forms plugin for WordPress is vulnerable to Unauthenticated Stored Cross-Site Scripting (XSS) in versions up to and including 2.10.0, allowing unauthenticated attackers to inject arbitrary web scripts via form submissions that execute when an administrator views the entry detail page.","title":"Gravity Forms Plugin Unauthenticated Stored XSS Vulnerability","url":"https://feed.craftedsignal.io/briefs/2024-01-gravityforms-xss/"}],"language":"en","title":"CraftedSignal Threat Feed — Gravity Forms Plugin","version":"https://jsonfeed.org/version/1.1"}