Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Vikas Ratudi VPSUForm v-form allows Stored XSS.This issue affects VPSUForm: from n/a through <= 3.1.14.
Published: 2025-04-22
Score: 5.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Vikas Ratudi VPSUForm plugin version 3.1.14 and earlier suffers from an improper neutralization of input during web page generation, allowing an attacker to embed malicious scripts that are stored in the database and later served to unsuspecting users. The stored XSS flaw can lead to theft of session cookies, defacement of the site, or unauthorized actions performed on behalf of users. The weakness is identified as a typical input validation flaw (CWE‑79).

Affected Systems

WordPress sites running the VPSUForm contact‑form plugin version 3.1.14 or older are affected. This includes any deployment of the Vikas Ratudi Lifetime Free Drag & Drop Contact Form Builder for WordPress, as it uses the same plugin code base. No specific customer or hosting environment is singled out, but any WordPress installation that has installed or upgraded the plugin to the mentioned versions is at risk.

Risk and Exploitability

The CVSS score of 5.9 indicates moderate risk. The EPSS score of less than 1% shows that the exploitation probability is low, and the vulnerability is not listed in the CISA KEV catalog, meaning no known large‑scale exploitation currently exists. The likely attack vector is through the form fields that echo back user input; an attacker could submit a script payload that is stored and later delivered to authenticated or unauthenticated users when the form data is displayed. In practice, the impact is limited to the scope of the site because the script runs in the victim’s browser context, but it can be used for credential theft and session hijacking.

Generated by OpenCVE AI on April 30, 2026 at 21:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update VPSUForm to a version newer than 3.1.14 as soon as a patch is released by the vendor.
  • If an update is not yet available, temporarily remove or disable the plugin to stop the vulnerable functionality from being exposed.
  • As a precaution, review all form‑related content for proper escaping before rendering it back to users and consider implementing a generic input sanitization routine.

Generated by OpenCVE AI on April 30, 2026 at 21:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-12307 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Vikas Ratudi VForm allows Stored XSS. This issue affects VForm: from n/a through 3.1.14.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 4.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N'}

 cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Vikas Ratudi VForm allows Stored XSS. This issue affects VForm: from n/a through 3.1.14. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Vikas Ratudi VPSUForm v-form allows Stored XSS.This issue affects VPSUForm: from n/a through <= 3.1.14.
Title WordPress VForm <= 3.1.14 - Cross Site Scripting (XSS) Vulnerability WordPress VForm plugin <= 3.1.14 - Cross Site Scripting (XSS) Vulnerability
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L'}

 cvssV3_1

{'score': 4.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N'}

Wed, 30 Apr 2025 15:45:00 +0000

Type Values Removed Values Added
First Time appeared Vikasratudi
Vikasratudi lifetime Free Drag \& Drop Contact Form Builder
CPEs cpe:2.3:a:vikasratudi:lifetime_free_drag_\&_drop_contact_form_builder:*:*:*:*:*:wordpress:*:*
Vendors & Products Vikasratudi
Vikasratudi lifetime Free Drag \& Drop Contact Form Builder

Tue, 22 Apr 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 22 Apr 2025 10:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Vikas Ratudi VForm allows Stored XSS. This issue affects VForm: from n/a through 3.1.14.
Title WordPress VForm <= 3.1.14 - Cross Site Scripting (XSS) Vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Vikasratudi Lifetime Free Drag \& Drop Contact Form Builder
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:37.042Z

Reserved: 2025-04-22T09:21:43.075Z

Link: CVE-2025-46250

cve-icon Vulnrichment

Updated: 2025-04-22T13:42:13.180Z

cve-icon NVD

Status : Modified

Published: 2025-04-22T10:15:19.590

Modified: 2026-04-23T15:29:57.273

Link: CVE-2025-46250

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T21:30:36Z

Weaknesses