Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in keksdieb ez Form Calculator Premium ez-form-calculator-premium allows Reflected XSS.This issue affects ez Form Calculator Premium: from n/a through <= 2.14.1.2.
Published: 2025-04-04
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability in the WordPress ez Form Calculator Premium plugin originates from improper neutralization of user input when the plugin generates the response web page. Unsanitized form field data can be reflected back into the page, allowing an attacker to inject and execute arbitrary client‑side scripts in the browser of anyone who views the affected page.

Affected Systems

The affected product is WordPress ez Form Calculator Premium from the vendor keksdieb. All releases up to and including version 2.14.1.2 are vulnerable and therefore any WordPress installation that has this plugin enabled and accepts form submissions is at risk.

Risk and Exploitability

The CVSS score of 7.1 indicates a high‑to‑moderate severity. The EPSS score of less than 1% suggests the likelihood of exploitation in the wild is very low at present. The vulnerability is not listed in the CISA KEV catalog. Based on the description, the likely attack vector is a reflected XSS attack triggered when a user visits a specially crafted URL containing malicious payloads in form fields; exploitation requires the victim to interact with the form or click a link.

Generated by OpenCVE AI on May 2, 2026 at 08:39 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update ez Form Calculator Premium to the latest released version (2.15 or newer) from keksdieb.
  • If no update is available, disable the plugin or remove any installed instances of ez Form Calculator Premium from your WordPress site.
  • Enable a Web Application Firewall or WordPress security plugin that provides input sanitization and XSS protection while a patch is pending.

Generated by OpenCVE AI on May 2, 2026 at 08:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-9714 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in EPC ez Form Calculator - WordPress plugin allows Reflected XSS.This issue affects ez Form Calculator - WordPress plugin: from n/a through 2.14.1.2.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in EPC ez Form Calculator - WordPress plugin allows Reflected XSS.This issue affects ez Form Calculator - WordPress plugin: from n/a through 2.14.1.2. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in keksdieb ez Form Calculator Premium ez-form-calculator-premium allows Reflected XSS.This issue affects ez Form Calculator Premium: from n/a through <= 2.14.1.2.
Title WordPress ez Form Calculator - WordPress plugin plugin <= 2.14.1.2 - Reflected Cross Site Scripting (XSS) vulnerability WordPress ez Form Calculator Premouium plugin <= 2.14.1.2 - Reflected Cross Site Scripting (XSS) vulnerability
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Fri, 04 Apr 2025 12:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 04 Apr 2025 11:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in EPC ez Form Calculator - WordPress plugin allows Reflected XSS.This issue affects ez Form Calculator - WordPress plugin: from n/a through 2.14.1.2.
Title WordPress ez Form Calculator - WordPress plugin plugin <= 2.14.1.2 - Reflected Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:10:57.873Z

Reserved: 2025-01-03T13:15:43.300Z

Link: CVE-2025-22282

cve-icon Vulnrichment

Updated: 2025-04-04T11:56:32.603Z

cve-icon NVD

Status : Deferred

Published: 2025-04-04T11:15:39.680

Modified: 2026-06-17T08:46:08.510

Link: CVE-2025-22282

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T08:45:38Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')