{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-1294", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-02-14T01:02:52.933Z", "datePublished": "2025-04-24T22:22:14.575Z", "dateUpdated": "2026-04-08T16:59:12.205Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:59:12.205Z"}, "affected": [{"vendor": "WPQuark", "product": "eForm - WordPress Form Builder", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "4.18.0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The eForm - WordPress Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 4.18.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "title": "eForm <= 4.18.0 - Unauthenticated Stored Cross-Site Scripting", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/6c5db375-e865-47ba-a3dd-462c55d066fd?source=cve"}, {"url": "https://codecanyon.net/item/eform-wordpress-form-builder/3180835"}, {"url": "https://eform.live/changelog/"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N", "baseScore": 7.2, "baseSeverity": "HIGH"}}], "credits": [{"lang": "en", "type": "finder", "value": "Khayal Farzaliyev"}], "timeline": [{"time": "2025-04-24T09:45:31.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-04-25T16:03:05.951434Z", "id": "CVE-2025-1294", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-25T16:05:22.062Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-1294", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-04-25T16:03:05.951434Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-25T16:03:14.378Z"}}], "cna": {"title": "eForm <= 4.18.0 - Unauthenticated Stored Cross-Site Scripting", "credits": [{"lang": "en", "type": "finder", "value": "Khayal Farzaliyev"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 7.2, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "WPQuark", "product": "eForm - WordPress Form Builder", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "4.18.0"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-04-24T09:45:31.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/6c5db375-e865-47ba-a3dd-462c55d066fd?source=cve"}, {"url": "https://codecanyon.net/item/eform-wordpress-form-builder/3180835"}, {"url": "https://eform.live/changelog/"}], "descriptions": [{"lang": "en", "value": "The eForm - WordPress Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 4.18.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:59:12.205Z"}}}, "cveMetadata": {"cveId": "CVE-2025-1294", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:59:12.205Z", "dateReserved": "2025-02-14T01:02:52.933Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-04-24T22:22:14.575Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The eForm - WordPress Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 4.18.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}, {"lang": "es", "value": "El complemento eForm - WordPress Form Builder de WordPress es vulnerable a Cross-Site Scripting Almacenado en todas las versiones hasta la 4.18.0 incluida, debido a una depuraci\u00f3n de entrada y un escape de salida insuficientes. Esto permite a atacantes no autenticados inyectar scripts web arbitrarios en p\u00e1ginas que se ejecutar\u00e1n al acceder un usuario a una p\u00e1gina inyectada."}], "id": "CVE-2025-1294", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-04-24T23:15:14.720", "references": [{"source": "security@wordfence.com", "url": "https://codecanyon.net/item/eform-wordpress-form-builder/3180835"}, {"source": "security@wordfence.com", "url": "https://eform.live/changelog/"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/6c5db375-e865-47ba-a3dd-462c55d066fd?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T01:39:35.660753+00:00", "value": {"mitigation_remediation": ["Update eForm to the latest available version, which includes proper input sanitization and output escaping.", "If an immediate update is not possible, restrict form creation and submission capabilities to trusted administrators only, or temporarily disable the form builder on the site until a patch is applied.", "Scan existing form entries and remove any injected JavaScript or other malicious content to prevent it from being rendered for end users."], "summary": {"action": "Immediate Patch", "impact": "Stored Cross\u2011Site Scripting via unauthenticated input injection"}, "threat_synthesis": {"affected_systems": "The affected product is eForm by WPQuark, a WordPress form\u2011builder plugin distributed through the WordPress plugin repository and CodeCanyon. Any WordPress installation that has this plugin installed with a version number 4.18.0 or earlier is vulnerable. No additional software or external integrations are mentioned as prerequisites for exploitation.", "description_and_impact": "The eForm WordPress Form Builder plugin allows users to create and manage online forms. In versions up to and including 4.18.0 the plugin does not properly sanitize or escape input that is later stored and rendered as part of a page. This flaw permits an attacker who does not need to be authenticated to embed malicious JavaScript into a form entry, which will later execute in the browser of anyone visiting that page. The result is a classic stored cross\u2011site scripting exploit that can be used to steal session cookies, deface the site, or redirect users to malicious domains. The weakness is a classic injection of unexpected code, mapped to CWE\u201179.", "risk_and_exploitability": "The CVSS score of 7.2 indicates a medium\u2011to\u2011high severity vulnerability. The EPSS score of less than 1% shows that the probability of exploitation is very low, and the vulnerability is not listed in the CISA KEV catalog, implying no confirmed or active exploits are known. The attack vector is inferred to be unauthenticated, as the description states that no authentication is required to inject arbitrary scripts. An attacker can tamper with form entry fields as any visitor, and the stored payload will be rendered for future visitors. Because the flaw is in the plugin\u2019s data handling, exploiting it requires only the ability to submit data to the plugin, which most sites allow by default, thereby making the vulnerability relatively easy to trigger in the absence of defenses such as strict content security policies."}}}}, "created": "2026-04-22T01:45:05.622992+00:00", "updated": "2026-04-22T01:45:05.623004+00:00", "vendors": []}