The dForms plugin for WordPress contains an Improper Neutralization of Input During Web Page Generation vulnerability that permits reflected Cross‑Site Scripting. An attacker can inject malicious JavaScript into the list form view that will be executed in the victim’s browser when the crafted URL is loaded. The impact is that an attacker can hijack sessions, exfiltrate cookies, deface content, or drive phishing activity. The weakness is a classic input validation flaw, categorized as CWE‑79.

This issue affects the animexxx dForms WordPress plugin version 1.0 and all earlier releases. Any WordPress site that has installed this plugin and has not upgraded past 1.0 is potentially vulnerable. Vulnerable installations must be identified and assessed for removal or upgrade.

The advisory lists a CVSS score of 7.1, indicating a high severity rating, while the EPSS score is below 1%, suggesting that current exploitation likelihood is low but not zero. The vulnerability is not yet catalogued in CISA's Known Exploited Vulnerabilities database. Based on the nature of reflected XSS, the attack vector is most likely a user‑directed request that includes malicious query or form data; authentication is not required, so exposure depends on how many visitors are exposed to the vulnerable view.