CVE-2026-5111

Name of the Vulnerable Software and Affected Versions Gravity Forms versions prior to 2.10.1

Description Stored Cross-Site Scripting occurs due to insufficient input validation and output escaping on Hidden Product field values when used inside Repeater fields. Specifically, repeater subfields bypass state validation checks, and the validate() method for Hidden Product only validates the quantity field, ignoring the product name field. This product name is subsequently output without proper escaping in the get value entry detail() method, allowing unauthenticated attackers to inject arbitrary web scripts through form submissions that execute when an administrator views the entry details.

Recommendations Update to a version later than 2.10.0.