Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPQuark eForm - WordPress Form Builder wp-fsqm-pro allows Reflected XSS.This issue affects eForm - WordPress Form Builder: from n/a through < 4.19.1.
Published: 2025-06-17
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an improper neutralization of user input that allows an attacker to inject malicious scripts into the web page generated by the eForm - WordPress Form Builder plugin. A successful exploitation would enable the attacker to execute arbitrary client‑side code in the browser of any user who views the crafted page, potentially leading to session hijacking, credential theft, or defacement of the site. The weakness is a classic input‑validation flaw, classified as CWE‑79.

Affected Systems

All installations of WPQuark eForm - WordPress Form Builder with a version earlier than 4.19.1 are affected. This includes every WordPress site that has the plugin active until that update is applied.

Risk and Exploitability

The CVSS score of 7.1 indicates moderate severity, while the EPSS of less than 1% suggests a very low current exploitation probability in the wild. The vulnerability can be exploited via a reflected XSS attack vector, requiring only that an attacker convince a user (ideally an administrator or visitor with sensitive privileges) to click a crafted link or follow an embedded URL. No elevated privileges or additional system compromise is necessary for execution.

Generated by OpenCVE AI on April 30, 2026 at 17:41 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade eForm - WordPress Form Builder to version 4.19.1 or later, which removes the vulnerable input handling.
  • Disable or uninstall the plugin on sites where the form functionality is no longer required to eliminate the attack surface.
  • Apply input validation and output encoding measures on any custom forms, and consider implementing a stricter content‑security‑policy to mitigate potential XSS payloads.

Generated by OpenCVE AI on April 30, 2026 at 17:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-28206 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPQuark eForm - WordPress Form Builder allows Reflected XSS. This issue affects eForm - WordPress Form Builder: from n/a through n/a.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPQuark eForm - WordPress Form Builder allows Reflected XSS. This issue affects eForm - WordPress Form Builder: from n/a through n/a. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPQuark eForm - WordPress Form Builder wp-fsqm-pro allows Reflected XSS.This issue affects eForm - WordPress Form Builder: from n/a through < 4.19.1.
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Mon, 23 Jun 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 17 Jun 2025 15:15:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPQuark eForm - WordPress Form Builder allows Reflected XSS. This issue affects eForm - WordPress Form Builder: from n/a through n/a.
Title WordPress eForm - WordPress Form Builder < 4.19.1 - Cross Site Scripting (XSS) Vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:56.747Z

Reserved: 2025-05-19T14:14:34.468Z

Link: CVE-2025-48333

cve-icon Vulnrichment

Updated: 2025-06-23T16:09:16.238Z

cve-icon NVD

Status : Deferred

Published: 2025-06-17T15:15:44.867

Modified: 2026-04-23T15:31:07.497

Link: CVE-2025-48333

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T17:45:26Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')