Description
The SureForms plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the form field parameters in all versions up to, and including, 2.2.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2025-12-21
Score: 7.2 High
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting
Action: Apply Patch
AI Analysis

Impact

The vulnerability is a stored cross‑site scripting flaw that arises from insufficient sanitization of form field parameters in the SureForms plugin. Unauthenticated attackers can inject arbitrary JavaScript into a form submission that is subsequently rendered in a WordPress page, causing the script to execute in the browsers of any user who visits that page. This permits malicious actors to perform actions such as cookie theft, session hijacking, defacement, and other client‑side attacks without needing any privileged credentials.

Affected Systems

All versions of the SureForms plugin for WordPress up to 2.2.0 are affected. The plugin, developed by brainstormforce and marketed as SureForms – Contact Form, Payment Form & Other Custom Form Builder, provides a wide range of form‑handling features, each of which is susceptible to the stored XSS flaw when user input is not correctly filtered.

Risk and Exploitability

The CVSS score of 7.2 indicates a medium‑to‑high risk level, while an EPSS score of less than 1% suggests a low likelihood of real‑world exploitation at the time of this assessment. The vulnerability is not listed in CISA’s KEV catalog. Based on the description, the attack vector is via the publicly accessible form submission endpoint, requiring only that an attacker crafts a request containing malicious payloads; no authentication is required. Once a victim loads a page containing the stored script, the injected code runs with the victim’s privileges.

Generated by OpenCVE AI on April 21, 2026 at 16:55 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the SureForms plugin to a version newer than 2.2.0 to eliminate the unsanitized input handling.
  • If an upgrade is not achievable, disable the plugin or remove it until a patched version is available to prevent users from submitting malicious data.
  • As a temporary measure, configure a Web Application Firewall or server rule to block requests to the plugin’s form submission endpoint that contain scripts or HTML tags.

Generated by OpenCVE AI on April 21, 2026 at 16:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 22 Dec 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 22 Dec 2025 11:45:00 +0000

Type Values Removed Values Added
First Time appeared Brainstormforce
Brainstormforce sureforms
Wordpress
Wordpress wordpress
Vendors & Products Brainstormforce
Brainstormforce sureforms
Wordpress
Wordpress wordpress

Sun, 21 Dec 2025 07:45:00 +0000

Type Values Removed Values Added
Description The SureForms plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the form field parameters in all versions up to, and including, 2.2.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title SureForms <= 2.2.0 - Unauthenticated Stored Cross-Site Scripting
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Brainstormforce Sureforms
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:56:09.726Z

Reserved: 2025-12-17T20:47:52.175Z

Link: CVE-2025-14855

cve-icon Vulnrichment

Updated: 2025-12-22T15:40:29.630Z

cve-icon NVD

Status : Deferred

Published: 2025-12-21T08:15:49.593

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-14855

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T17:00:12Z

Weaknesses