Description
The weForms plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the REST API entry submission endpoint in all versions up to, and including, 1.6.27. This is due to inconsistent input sanitization between the frontend AJAX handler and the REST API endpoint. When entries are submitted via the REST API (`/wp-json/weforms/v1/forms/{id}/entries/`), the `prepare_entry()` method in `class-abstract-fields.php` receives the WP_REST_Request object as `$args`, bypassing the `weforms_clean()` fallback that sanitizes `$_POST` data for frontend submissions. The base field handler only applies `trim()` to the value. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts into form entry hidden field values via the REST API that execute when an administrator views the form entries page, where data is rendered using a Vue.js `v-html` directive without escaping.
Published: 2026-03-11
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting
Action: Patch
AI Analysis

Impact

The weForms plugin for WordPress has a Stored Cross‑Site Scripting flaw that allows an authenticated user with Subscriber‑level access or higher to inject arbitrary JavaScript into hidden form field values via the REST API entry submission endpoint. The injected scripts are stored without proper sanitization because the REST API bypasses the normal input‑cleanup logic used for frontend AJAX submissions. When an administrator later opens the form entries page, the data is rendered by Vue.js using a v‑html directive that does not escape the content, causing the script to execute in the browser context.

Affected Systems

The flaw affects the Boldgrid:weForms – Easy Drag & Drop Contact Form Builder For WordPress plugin in all released versions up to and including 1.6.27. Versions newer than 1.6.27 are not identified as vulnerable in the input data, so no specific version beyond that is known to be at risk.

Risk and Exploitability

The CVSS v3.1 base score of 6.4 indicates moderate severity, and an EPSS score of less than 1 % suggests a low probability of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires that the attacker be able to authenticate to the site with a Subscriber or higher role and submit a crafted payload to the REST API endpoint /wp‑json/weforms/v1/forms/{id}/entries/. When an administrator views the stored entries, the malicious JavaScript will run, potentially leading to theft of session cookies, defacement, or further lateral movement within the WordPress installation.

Generated by OpenCVE AI on March 17, 2026 at 17:34 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Boldgrid:weForms to a version newer than 1.6.27 (e.g., any release after 1.6.27).

Generated by OpenCVE AI on March 17, 2026 at 17:34 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 11 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 11 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Boldgrid
Boldgrid weforms – Easy Drag & Drop Contact Form Builder For Wordpress
Wordpress
Wordpress wordpress
Vendors & Products Boldgrid
Boldgrid weforms – Easy Drag & Drop Contact Form Builder For Wordpress
Wordpress
Wordpress wordpress

Wed, 11 Mar 2026 05:30:00 +0000

Type Values Removed Values Added
Description The weForms plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the REST API entry submission endpoint in all versions up to, and including, 1.6.27. This is due to inconsistent input sanitization between the frontend AJAX handler and the REST API endpoint. When entries are submitted via the REST API (`/wp-json/weforms/v1/forms/{id}/entries/`), the `prepare_entry()` method in `class-abstract-fields.php` receives the WP_REST_Request object as `$args`, bypassing the `weforms_clean()` fallback that sanitizes `$_POST` data for frontend submissions. The base field handler only applies `trim()` to the value. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts into form entry hidden field values via the REST API that execute when an administrator views the form entries page, where data is rendered using a Vue.js `v-html` directive without escaping.
Title weForms <= 1.6.27 - Authenticated (Subscriber+) Stored Cross-Site Scripting via Hidden Field Value via REST API
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Boldgrid Weforms – Easy Drag & Drop Contact Form Builder For Wordpress
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-03-11T14:10:34.186Z

Reserved: 2026-02-18T19:24:22.125Z

Link: CVE-2026-2707

cve-icon Vulnrichment

Updated: 2026-03-11T14:10:27.238Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-11T06:17:14.587

Modified: 2026-03-11T13:52:47.683

Link: CVE-2026-2707

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-20T14:37:50Z

Weaknesses