CVE-2026-5112

Name of the Vulnerable Software and Affected Versions Gravity Forms versions prior to 2.10.1

Description The plugin is subject to unauthenticated stored Cross-Site Scripting (XSS), a flaw where malicious scripts are permanently stored on the target server and executed in the browser of a user. This occurs because of insufficient input validation and output escaping of Calculation Product field product names within Repeater fields. Specifically, the validate() method in the GF Field Calculation class fails to validate the product name field, and the sanitize entry value() method saves the raw value without sanitization. When an administrator with the gravityforms view entries capability views the entry detail page, the get value entry detail() method concatenates the unescaped product name into the output string, allowing arbitrary web scripts to execute.

Recommendations Update to a version later than 2.10.0.