The eForm WordPress Form Builder plugin allows users to create and manage online forms. In versions up to and including 4.18.0 the plugin does not properly sanitize or escape input that is later stored and rendered as part of a page. This flaw permits an attacker who does not need to be authenticated to embed malicious JavaScript into a form entry, which will later execute in the browser of anyone visiting that page. The result is a classic stored cross‑site scripting exploit that can be used to steal session cookies, deface the site, or redirect users to malicious domains. The weakness is a classic injection of unexpected code, mapped to CWE‑79.

The affected product is eForm by WPQuark, a WordPress form‑builder plugin distributed through the WordPress plugin repository and CodeCanyon. Any WordPress installation that has this plugin installed with a version number 4.18.0 or earlier is vulnerable. No additional software or external integrations are mentioned as prerequisites for exploitation.

The CVSS score of 7.2 indicates a medium‑to‑high severity vulnerability. The EPSS score of less than 1% shows that the probability of exploitation is very low, and the vulnerability is not listed in the CISA KEV catalog, implying no confirmed or active exploits are known. The attack vector is inferred to be unauthenticated, as the description states that no authentication is required to inject arbitrary scripts. An attacker can tamper with form entry fields as any visitor, and the stored payload will be rendered for future visitors. Because the flaw is in the plugin’s data handling, exploiting it requires only the ability to submit data to the plugin, which most sites allow by default, thereby making the vulnerability relatively easy to trigger in the absence of defenses such as strict content security policies.