Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Link Software LLC HTML Forms html-forms allows Stored XSS.This issue affects HTML Forms: from n/a through <= 1.5.2.
Published: 2025-04-22
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Improper neutralization of user input during web page generation allows an attacker to store malicious JavaScript within the HTML Forms plugin. When a visitor loads a page containing the stored payload, the script executes in that visitor’s browser, potentially exposing session data, credentials, or other sensitive information, and enabling downstream attacks such as session hijacking or defacement.

Affected Systems

WordPress sites that have installed Link Software LLC’s HTML Forms plugin up to and including version 1.5.2. Any instance of that plugin within this version range is impacted; later releases beyond 1.5.2 are not affected by the reported flaw.

Risk and Exploitability

The CGVS score of 6.5 places the vulnerability in the moderate severity category. The EPSS score of less than 1% indicates a low current exploitation probability, and the flaw is not listed in CISA’s KEV catalogue. The likely attack vector involves a stored XSS payload submitted through the plugin’s form entry interface; an attacker must control the submission data but does not require elevated site privileges. If the payload is accepted and displayed, it runs in the context of any visitor who views the affected page.

Generated by OpenCVE AI on May 2, 2026 at 01:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the HTML Forms plugin to a version newer than 1.5.2 when an update is released by the vendor or from a trusted source.
  • If an immediate update is not possible, limit the use of the form to trusted administrators or temporarily disable the vulnerable form instance.
  • Deploy a web application firewall or a security plugin to block or sanitize script tags and other suspicious content in form submissions.

Generated by OpenCVE AI on May 2, 2026 at 01:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-12311 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Link Software LLC HTML Forms allows Stored XSS. This issue affects HTML Forms: from n/a through 1.5.2.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

 cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Link Software LLC HTML Forms allows Stored XSS. This issue affects HTML Forms: from n/a through 1.5.2. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Link Software LLC HTML Forms html-forms allows Stored XSS.This issue affects HTML Forms: from n/a through <= 1.5.2.
Title WordPress HTML Forms <= 1.5.2 - Cross Site Scripting (XSS) Vulnerability WordPress HTML Forms plugin <= 1.5.2 - Cross Site Scripting (XSS) Vulnerability
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

 cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

Fri, 30 Jan 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Linksoftwarellc
Linksoftwarellc html Forms
CPEs cpe:2.3:a:ibericode:html_forms:*:*:*:*:*:wordpress:*:* cpe:2.3:a:linksoftwarellc:html_forms:*:*:*:*:*:wordpress:*:*
Vendors & Products Ibericode
Ibericode html Forms
Linksoftwarellc
Linksoftwarellc html Forms

Wed, 30 Apr 2025 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Ibericode
Ibericode html Forms
CPEs cpe:2.3:a:ibericode:html_forms:*:*:*:*:*:wordpress:*:*
Vendors & Products Ibericode
Ibericode html Forms

Tue, 22 Apr 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 22 Apr 2025 10:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Link Software LLC HTML Forms allows Stored XSS. This issue affects HTML Forms: from n/a through 1.5.2.
Title WordPress HTML Forms <= 1.5.2 - Cross Site Scripting (XSS) Vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Linksoftwarellc Html Forms
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:36.726Z

Reserved: 2025-04-22T09:21:32.318Z

Link: CVE-2025-46236

cve-icon Vulnrichment

Updated: 2025-04-22T14:11:59.150Z

cve-icon NVD

Status : Modified

Published: 2025-04-22T10:15:16.943

Modified: 2026-04-23T15:29:55.530

Link: CVE-2025-46236

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T02:00:15Z

Weaknesses