Gravity Forms stored XSS reaches admin sessions via Product Option labels
TL;DR - Gravity Forms <= 2.10.0 accepts a Product Option submission, validates it against the wp_kses()-sanitized value, then writes the raw unsanitized input to the database. When an admin views the entry Order Summary, view-order-summary.php line 32 renders option_label unescaped - executing the payload in an administrator session. Patch to 2.10.1 or newer.
What happened
Gravity Forms is a WordPress forms plugin used to collect and store user submissions for admins to review in wp-admin.
CVE-2026-5109 is a stored XSS chain rooted in Product Option field handling. The validation logic checks whether the wp_kses()-sanitized value matches a legitimate option - but then persists the raw, unsanitized input to the database. The two paths never meet again. When an administrator opens an entry, the Order Summary renders option_label directly without escaping at view-order-summary.php line 32, and the injected JavaScript runs in their session.
This is a classic "sanitize-to-validate, raw-to-store" failure. It tends to survive code review because validation and persistence are treated as separate concerns - and that split is exactly what the attacker relies on.
No authentication is required to submit a form. No privileges are required to trigger the payload. The only precondition is that an admin views the entry.
Who is impacted
- WordPress sites running
gravityformsat versions<= 2.10.0. - Any deployment that accepts unauthenticated form submissions and has admins reviewing entries in wp-admin.
| Item | Detail |
|---|---|
| Attack precondition | Anonymous user submits a form containing a Product Option field |
| Trigger point | Admin views the entry details Order Summary |
| Severity | CVSS 3.1 7.2 (High) |
| Impact | Stored JavaScript execution inside an administrator's wp-admin session |
What to do now
- Patch immediately. Apply the vendor's remediation guidance:
"Remediation: Update to version 2.10.1, or a newer patched version."
- Inventory every WordPress instance for the
gravityformsplugin. Confirm no production site is running<= 2.10.0. - Treat any unpatched window as a potential admin-session compromise:
- Review recent form entries for unexpected HTML or JavaScript-like payloads in Product Option fields.
- Review wp-admin access logs for unusual entry-viewing activity or anomalous admin behaviour following submission spikes.
- If you suspect exploitation, rotate credentials and tokens that could have been exposed via an administrator's browser session - session cookies, application passwords, API keys visible in wp-admin.
Related
Content is AI-assisted and reviewed by our team, but issues may be missed and best practices evolve rapidly, send corrections to [email protected]. Always consult official documentation and validate key implementation decisions before making design or security choices.