Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in RylanH Storyform storyform allows Reflected XSS.This issue affects Storyform: from n/a through <= 0.6.14.
Published: 2026-02-20
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an improper neutralization of user‑supplied input during web page generation, resulting in a reflected XSS flaw in the RylanH Storyform plugin. An attacker could inject malicious JavaScript that is executed in the browser of any user who views a crafted form page, enabling theft of session cookies, credential phishing, or other client‑side attacks. The weakness resides in CWE‑79 and can affect the confidentiality and integrity of user data by running arbitrary code in the victim’s context. The attack would require a crafted URL or form that a victim engages with; this is inferred from the reflected nature of the flaw.

Affected Systems

Affected systems are websites running the WordPress Storyform plugin version 0.6.14 or earlier. All releases from the initial public build (n/a) through 0.6.14 are vulnerable. The plugin is developed by RylanH and is identified in the CNA list as RylanH:Storyform.

Risk and Exploitability

The CVSS score of 7.1 indicates a high severity for reflected XSS. However, the EPSS score is less than 1 %, suggesting exploitation is currently rare. The vulnerability is not listed in the CISA KEV catalog, so no publicly known exploits exist at the time of this analysis. Based on the description, it is inferred that the attack would need a crafted URL or form payload that a victim clicks on or visits, so it is typically a phishing or lure scenario.

Generated by OpenCVE AI on April 29, 2026 at 17:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Storyform plugin to the latest version (≥ 0.6.15) when it becomes available.
  • If an upgrade is not possible, completely disable or uninstall the plugin from the WordPress site.
  • Configure a web‑application firewall or input validation layer to reject or sanitize user input that reaches the Storyform forms to mitigate residual risk.

Generated by OpenCVE AI on April 29, 2026 at 17:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 23 Feb 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 23 Feb 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Rylanh
Rylanh storyform
Wordpress
Wordpress wordpress
Vendors & Products Rylanh
Rylanh storyform
Wordpress
Wordpress wordpress

Fri, 20 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in RylanH Storyform storyform allows Reflected XSS.This issue affects Storyform: from n/a through <= 0.6.14.
Title WordPress Storyform plugin <= 0.6.14 - Cross Site Scripting (XSS) Vulnerability
Weaknesses CWE-79
References

Subscriptions

Rylanh Storyform
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T19:11:47.346Z

Reserved: 2025-06-27T10:28:11.948Z

Link: CVE-2025-53233

cve-icon Vulnrichment

Updated: 2026-02-23T21:46:58.950Z

cve-icon NVD

Status : Deferred

Published: 2026-02-20T16:22:02.077

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-53233

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T17:30:16Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')