CVE-2026-5113

Name of the Vulnerable Software and Affected Versions Gravity Forms versions prior to 2.10.1

Description The plugin is subject to Stored Cross-Site Scripting (XSS) via hidden inputs in the Consent field. This occurs because of a flawed state validation mechanism that fails open when input is sanitized by wp kses(), combined with insufficient output escaping. The validation logic generates two hashes (one for raw input and one for wp kses() sanitized input) and only fails if both hashes differ from the original state. An unauthenticated attacker can inject XSS payloads using tags stripped by wp kses(), such as <svg>, allowing the malicious raw value to be saved to the database. The payload executes when an authenticated administrator views the Entries List page, as the stored consent label is output without proper escaping.

Recommendations Update to a version later than 2.10.0.