CVE-2026-5109

Name of the Vulnerable Software and Affected Versions Gravity Forms versions prior to 2.10.1

Description The plugin is subject to Stored Cross-Site Scripting due to insufficient validation and output escaping of Product Option field values. The issue occurs because the state validation function accepts submitted values where the wp kses() sanitized version matches a legitimate option value, but the raw unsanitized value is stored in the database. Unauthenticated attackers can inject arbitrary web scripts into entry data. These scripts execute when an administrator views entry details in the Order Summary section, specifically where the option label is output without escaping in the 'view-order-summary.php' file at line 32.

Recommendations Update to a version later than 2.10.0.