Description
The Forms Bridge – Infinite integrations plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'id' shortcode attribute in the 'financoop_campaign' shortcode in all versions up to, and including, 4.2.5. This is due to insufficient input sanitization and output escaping on the user-supplied 'id' parameter in the forms_bridge_financoop_shortcode_error function. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2026-01-28
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting
Action: Patch Now
AI Analysis

Impact

The Forms Bridge – Infinite integrations plugin for WordPress contains a stored cross‑site scripting flaw embedded in the 'id' attribute of the 'financoop_campaign' shortcode. Unsanitized input permits any authenticated Contributor or higher to inject arbitrary JavaScript into the plugin’s storage. Once injected, the code executes in every visitor’s browser when they request a page containing the shortcode, potentially enabling cookie theft, session hijacking, and defacement. This deficit corresponds to CWE‑79.

Affected Systems

The vulnerability affects all installations of the Forms Bridge – Infinite integrations plugin by codeccoop running WordPress, with affected releases up through 4.2.5. Any site that has not yet updated beyond this version and has users granted Contributor or higher privileges is exposed. The issue is limited to the plugin component and does not impact core WordPress or other plugins directly.

Risk and Exploitability

The flaw carries a medium CVSS score of 6.4 and an EPSS value of less than 1 percent, indicating it is not a top‑priority exploit but still a valid attack vector. Since exploitation requires authenticated access at Contributor level or above, an attacker must first compromise an account with sufficient privileges or exploit social engineering to obtain one. Once the payload is in place, every page visitor executing the shortcode becomes a victim. The vulnerability is not listed in the CISA KEV catalog, further suggesting it is not widely targeted yet.

Generated by OpenCVE AI on April 15, 2026 at 19:01 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Forms Bridge – Infinite integrations plugin to the latest available version to eliminate the vulnerability.
  • Limit Contributor‑level access to users that truly require it, thereby reducing the number of accounts capable of inserting malicious input.
  • Configure the WordPress site to use its built‑in XSS filtering or install a security plugin that sanitizes shortcode attributes and blocks unsanitized script injection.

Generated by OpenCVE AI on April 15, 2026 at 19:01 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 29 Jan 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Wed, 28 Jan 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 28 Jan 2026 07:00:00 +0000

Type Values Removed Values Added
Description The Forms Bridge – Infinite integrations plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'id' shortcode attribute in the 'financoop_campaign' shortcode in all versions up to, and including, 4.2.5. This is due to insufficient input sanitization and output escaping on the user-supplied 'id' parameter in the forms_bridge_financoop_shortcode_error function. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title Forms Bridge <= 4.2.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'id' Shortcode Attribute
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:47:47.403Z

Reserved: 2026-01-20T18:47:11.943Z

Link: CVE-2026-1244

cve-icon Vulnrichment

Updated: 2026-01-28T15:04:00.560Z

cve-icon NVD

Status : Deferred

Published: 2026-01-28T07:16:00.513

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-1244

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T19:15:12Z

Weaknesses