CVE-2026-5110

Name of the Vulnerable Software and Affected Versions Gravity Forms versions prior to 2.10.1

Description The plugin is subject to unauthenticated stored Cross-Site Scripting (XSS), a flaw where malicious scripts are permanently stored on the target server. This occurs due to insufficient input validation and output escaping in the SingleProduct field when nested within a Repeater field. Specifically, the validate subfield() method calls the validate() method, which only checks the quantity field and ignores the product name field, bypassing the failed state validation() mechanism. Consequently, an attacker can inject arbitrary HTML and JavaScript into the product name field. This input is saved without sanitization because sanitize entry value() returns raw values for this field type. The payload executes in an administrator's browser when they view the entry via the endpoint 'wp-admin/admin.php?page=gf entries' because the get value entry detail() method outputs the product name without escaping.

Recommendations Update to a version later than 2.10.0.