Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in fromdoppler Doppler Forms doppler-form allows Stored XSS.This issue affects Doppler Forms: from n/a through <= 2.5.1.
Published: 2025-04-04
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an instance of Improper Neutralization of Input During Web Page Generation (CWE‑79) that permits an attacker to store malicious script payloads in content handled by the Doppler Forms plugin. The stored payload is rendered without escaping when the page is accessed, causing the script to execute in the browser context of anyone who views the affected page. This can enable client‑side attacks that compromise the integrity or confidentiality of the user session.

Affected Systems

The affected product is the Doppler Forms plugin for WordPress, released by the vendor Doppler Forms (fromdoppler). Versions from the earliest release through version 2.5.1 are vulnerable. Sites that have not updated to 2.5.2 or later and that allow untrusted users to submit data via Doppler Forms are at risk.

Risk and Exploitability

The CVSS score of 6.5 reflects a moderate severity. The EPSS score is below 1%, suggesting that active exploitation is currently rare. The vulnerability is not in the CISA KEV catalog. Exploitation requires an attacker to submit a form entry that includes a malicious script; the payload is stored by the plugin and rendered unescaped on subsequent page loads. Attackers do not require authentication. The risk level is therefore medium to high for sites that accept untrusted form submissions without additional safeguards.

Generated by OpenCVE AI on May 1, 2026 at 11:13 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Doppler Forms plugin to version 2.5.2 or later to remove the stored XSS flaw.
  • If an upgrade is not immediately possible, disable or block front‑end form submissions so that user‑supplied content cannot be stored.
  • Apply a content security policy that blocks inline scripts and limits script sources to trusted domains to mitigate any stored script that may survive.

Generated by OpenCVE AI on May 1, 2026 at 11:13 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-9856 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in fromdoppler Doppler Forms allows Stored XSS. This issue affects Doppler Forms: from n/a through 2.4.5.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in fromdoppler Doppler Forms allows Stored XSS. This issue affects Doppler Forms: from n/a through 2.4.5. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in fromdoppler Doppler Forms doppler-form allows Stored XSS.This issue affects Doppler Forms: from n/a through <= 2.5.1.
Title WordPress Doppler Forms plugin <= 2.4.5 - Cross Site Scripting (XSS) vulnerability WordPress Doppler Forms plugin <= 2.5.1 - Cross Site Scripting (XSS) vulnerability
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Fri, 04 Apr 2025 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 04 Apr 2025 16:15:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in fromdoppler Doppler Forms allows Stored XSS. This issue affects Doppler Forms: from n/a through 2.4.5.
Title WordPress Doppler Forms plugin <= 2.4.5 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:17.813Z

Reserved: 2025-04-04T10:01:05.032Z

Link: CVE-2025-32165

cve-icon Vulnrichment

Updated: 2025-04-04T19:54:26.767Z

cve-icon NVD

Status : Deferred

Published: 2025-04-04T16:15:25.070

Modified: 2026-04-23T15:28:40.823

Link: CVE-2025-32165

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T11:15:15Z

Weaknesses