Description
The ARForms plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `value` parameter of the `arf_save_incomplete_form_data` AJAX action in all versions up to, and including, 7.1.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts that will execute whenever an administrator views the "Partial Filled Form Entries" page in the ARForms dashboard.
Published: 2026-06-24
Score: 7.2 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

ARForms for WordPress is vulnerable to a stored XSS flaw that can be triggered by supplying arbitrary content in the "value" parameter of the arf_save_incomplete_form_data AJAX action. The input is inadequately sanitized and not properly escaped, permitting attackers to embed malicious scripts that run whenever an administrator views the Partial Filled Form Entries page. By executing code in this privileged context, an attacker can hijack admin sessions, steal sensitive data, or perform further attacks against the site. The weakness is a classic input validation error indexed as CWE‑79.

Affected Systems

The vulnerability applies to all installations of the ARForms plugin version 7.1.3 and earlier. Any WordPress site that has not upgraded beyond this release is exposed, regardless of the underlying operating system or PHP configuration.

Risk and Exploitability

The CVSS score of 7.2 indicates a high severity issue that requires immediate attention. Because the AJAX endpoint is publicly accessible, an unauthenticated attacker can inject a payload with no additional permissions, making the flaw easy to exploit. Although EPSS is not available, the lack of KEV listing does not reduce the urgency; the vulnerability has a clearly defined attack path and can be automated by an attacker simply by visiting the site or sending crafted requests.

Generated by OpenCVE AI on June 24, 2026 at 09:15 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade ARForms to the latest version that removes the flaw
  • If an upgrade cannot be performed immediately, completely delete or disable the arf_save_incomplete_form_data AJAX action by removing the plugin or disabling incomplete form data collection
  • Implement a web application firewall rule to block or sanitize the "value" parameter in requests to the ARForms AJAX endpoint

Generated by OpenCVE AI on June 24, 2026 at 09:15 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 24 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Codecanyon
Codecanyon arforms
Wordpress
Wordpress wordpress
Vendors & Products Codecanyon
Codecanyon arforms
Wordpress
Wordpress wordpress

Wed, 24 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Wed, 24 Jun 2026 03:30:00 +0000

Type Values Removed Values Added
Description The ARForms plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `value` parameter of the `arf_save_incomplete_form_data` AJAX action in all versions up to, and including, 7.1.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts that will execute whenever an administrator views the "Partial Filled Form Entries" page in the ARForms dashboard.
Title ARForms <= 7.1.3 - Unauthenticated Stored Cross-Site Scripting via 'value' Parameter
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N'}


Subscriptions

Codecanyon Arforms
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-06-24T12:59:02.930Z

Reserved: 2026-03-06T17:01:42.736Z

Link: CVE-2026-3652

cve-icon Vulnrichment

Updated: 2026-06-24T12:58:59.734Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T16:05:17Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')