Description
The ARForms plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `value` parameter of the `arf_save_incomplete_form_data` AJAX action in all versions up to, and including, 7.1.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts that will execute whenever an administrator views the "Partial Filled Form Entries" page in the ARForms dashboard.
Published: 2026-06-24
Score: 7.2 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

ARForms for WordPress is vulnerable to a stored XSS flaw that can be triggered by supplying arbitrary content in the "value" parameter of the arf_save_incomplete_form_data AJAX action. The input is inadequately sanitized and not properly escaped, permitting attackers to embed malicious scripts that run whenever an administrator views the Partial Filled Form Entries page. By executing code in this privileged context, an attacker can hijack admin sessions, steal sensitive data, or perform further attacks against the site. The weakness is a classic input validation error indexed as CWE‑79.

Affected Systems

The vulnerability applies to all installations of the ARForms plugin version 7.1.3 and earlier. Any WordPress site that has not upgraded beyond this release is exposed, regardless of the underlying operating system or PHP configuration.

Risk and Exploitability

The CVSS score of 7.2 indicates a high severity issue that requires immediate attention. Because the AJAX endpoint is publicly accessible, an unauthenticated attacker can inject a payload with no additional permissions, making the flaw easy to exploit. Although EPSS is not available, the lack of KEV listing does not reduce the urgency; the vulnerability has a clearly defined attack path and can be automated by an attacker simply by visiting the site or sending crafted requests.

Generated by OpenCVE AI on June 24, 2026 at 05:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade ARForms to the latest version that removes the flaw
  • If an upgrade cannot be performed immediately, completely delete or disable the arf_save_incomplete_form_data AJAX action by removing the plugin or disabling incomplete form data collection
  • Implement a web application firewall rule to block or sanitize the "value" parameter in requests to the ARForms AJAX endpoint

Generated by OpenCVE AI on June 24, 2026 at 05:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 24 Jun 2026 03:30:00 +0000

Type Values Removed Values Added
Description The ARForms plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `value` parameter of the `arf_save_incomplete_form_data` AJAX action in all versions up to, and including, 7.1.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts that will execute whenever an administrator views the "Partial Filled Form Entries" page in the ARForms dashboard.
Title ARForms <= 7.1.3 - Unauthenticated Stored Cross-Site Scripting via 'value' Parameter
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-06-24T02:29:07.959Z

Reserved: 2026-03-06T17:01:42.736Z

Link: CVE-2026-3652

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T06:00:14Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')