Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WesternDeal GSheetConnector for Forminator Forms gsheetconnector-forminator allows Reflected XSS.This issue affects GSheetConnector for Forminator Forms: from n/a through <= 1.0.12.
Published: 2025-01-15
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a Reflected Cross‑Site Scripting flaw caused by improper input neutralization in the GSheetConnector for Forminator Forms WordPress plugin. When an attacker crafts a malicious payload that is reflected back into the webpage, users who visit the affected URL can have arbitrary scripts executed in their browser. This can lead to session hijacking, credential theft, defacement, or other attacks that compromise the confidentiality, integrity, and availability of the site’s data. The weakness is classified as CWE‑79.

Affected Systems

The flaw affects the WesternDeal GSheetConnector for Forminator Forms plugin for WordPress, impacting all releases from the earliest available version up to version 1.0.12. Site owners running any of these versions are vulnerable if the plugin remains active.

Risk and Exploitability

With a CVSS score of 7.1 the vulnerability is considered high severity, but the EPSS score is less than 1% and it does not appear in the CISA KEV catalog. The likely attack vector is a crafted URL or form submission that includes malicious input, which the plugin reflects without proper escaping. Successful exploitation requires user interaction (visiting the malicious link) but could be leveraged deeply via social engineering. Given the low exploitation probability, it is still recommended to remediate immediately to prevent potential widespread impact.

Generated by OpenCVE AI on May 2, 2026 at 09:47 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the GSheetConnector for Forminator Forms plugin to the latest available patched version.
  • If the plugin is not essential, deactivate or remove it from the WordPress installation.
  • Implement a Content Security Policy that restricts script execution to trusted sources, mitigating potential XSS from this and other plugins.

Generated by OpenCVE AI on May 2, 2026 at 09:47 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-2967 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in GSheetConnector GSheetConnector for Forminator Forms allows Reflected XSS.This issue affects GSheetConnector for Forminator Forms: from n/a through 1.0.11.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

 cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in GSheetConnector GSheetConnector for Forminator Forms allows Reflected XSS.This issue affects GSheetConnector for Forminator Forms: from n/a through 1.0.11. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WesternDeal GSheetConnector for Forminator Forms gsheetconnector-forminator allows Reflected XSS.This issue affects GSheetConnector for Forminator Forms: from n/a through <= 1.0.12.
Title WordPress GSheetConnector for Forminator Forms Plugin <= 1.0.11 - Reflected Cross Site Scripting (XSS) vulnerability WordPress GSheetConnector for Forminator Forms Plugin <= 1.0.12 - Reflected Cross Site Scripting (XSS) vulnerability
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

 cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Wed, 05 Feb 2025 15:15:00 +0000

Type Values Removed Values Added
First Time appeared Gsheetconnector
Gsheetconnector gsheetconnector For Forminator Forms
CPEs cpe:2.3:a:gsheetconnector:gsheetconnector_for_forminator_forms:*:*:*:*:*:wordpress:*:*
Vendors & Products Gsheetconnector
Gsheetconnector gsheetconnector For Forminator Forms

Wed, 15 Jan 2025 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 15 Jan 2025 15:30:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in GSheetConnector GSheetConnector for Forminator Forms allows Reflected XSS.This issue affects GSheetConnector for Forminator Forms: from n/a through 1.0.11.
Title WordPress GSheetConnector for Forminator Forms Plugin <= 1.0.11 - Reflected Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Gsheetconnector Gsheetconnector For Forminator Forms
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:06.631Z

Reserved: 2025-01-07T21:04:32.545Z

Link: CVE-2025-22752

cve-icon Vulnrichment

Updated: 2025-01-15T18:57:18.338Z

cve-icon NVD

Status : Modified

Published: 2025-01-15T16:15:37.933

Modified: 2026-06-17T08:49:47.710

Link: CVE-2025-22752

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T10:00:06Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')