{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-14855", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-12-17T20:47:52.175Z", "datePublished": "2025-12-21T07:31:10.446Z", "dateUpdated": "2026-04-08T16:56:09.726Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:56:09.726Z"}, "affected": [{"vendor": "brainstormforce", "product": "SureForms \u2013 Contact Form, Payment Form & Other Custom Form Builder", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "2.2.0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The SureForms plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the form field parameters in all versions up to, and including, 2.2.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "title": "SureForms <= 2.2.0 - Unauthenticated Stored Cross-Site Scripting", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/5e493f01-95db-48ba-8daf-d7ff69df29bf?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/sureforms/tags/2.2.0/assets/build/entries.js"}, {"url": "https://plugins.trac.wordpress.org/changeset/3423684/sureforms"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N", "baseScore": 7.2, "baseSeverity": "HIGH"}}], "credits": [{"lang": "en", "type": "finder", "value": "Ti\u1ebfn D\u0169ng Nguy\u1ec5n"}], "timeline": [{"time": "2025-12-17T21:03:53.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2025-12-20T18:46:37.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-12-22T15:40:20.197303Z", "id": "CVE-2025-14855", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-22T15:40:45.282Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-14855", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-12-22T15:40:20.197303Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-22T15:40:29.630Z"}}], "cna": {"title": "SureForms <= 2.2.0 - Unauthenticated Stored Cross-Site Scripting", "credits": [{"lang": "en", "type": "finder", "value": "Ti\u1ebfn D\u0169ng Nguy\u1ec5n"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 7.2, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "brainstormforce", "product": "SureForms \u2013 Contact Form, Payment Form & Other Custom Form Builder", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "2.2.0"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-12-17T21:03:53.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2025-12-20T18:46:37.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/5e493f01-95db-48ba-8daf-d7ff69df29bf?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/sureforms/tags/2.2.0/assets/build/entries.js"}, {"url": "https://plugins.trac.wordpress.org/changeset/3423684/sureforms"}], "descriptions": [{"lang": "en", "value": "The SureForms plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the form field parameters in all versions up to, and including, 2.2.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:56:09.726Z"}}}, "cveMetadata": {"cveId": "CVE-2025-14855", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:56:09.726Z", "dateReserved": "2025-12-17T20:47:52.175Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-12-21T07:31:10.446Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The SureForms plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the form field parameters in all versions up to, and including, 2.2.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "id": "CVE-2025-14855", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-12-21T08:15:49.593", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/sureforms/tags/2.2.0/assets/build/entries.js"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3423684/sureforms"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/5e493f01-95db-48ba-8daf-d7ff69df29bf?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T16:55:29.801764+00:00", "value": {"mitigation_remediation": ["Upgrade the SureForms plugin to a version newer than 2.2.0 to eliminate the unsanitized input handling.", "If an upgrade is not achievable, disable the plugin or remove it until a patched version is available to prevent users from submitting malicious data.", "As a temporary measure, configure a Web Application Firewall or server rule to block requests to the plugin\u2019s form submission endpoint that contain scripts or HTML tags."], "summary": {"action": "Apply Patch", "impact": "Stored Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "All versions of the SureForms plugin for WordPress up to 2.2.0 are affected. The plugin, developed by brainstormforce and marketed as SureForms \u2013 Contact Form, Payment Form & Other Custom Form Builder, provides a wide range of form\u2011handling features, each of which is susceptible to the stored XSS flaw when user input is not correctly filtered.", "description_and_impact": "The vulnerability is a stored cross\u2011site scripting flaw that arises from insufficient sanitization of form field parameters in the SureForms plugin. Unauthenticated attackers can inject arbitrary JavaScript into a form submission that is subsequently rendered in a WordPress page, causing the script to execute in the browsers of any user who visits that page. This permits malicious actors to perform actions such as cookie theft, session hijacking, defacement, and other client\u2011side attacks without needing any privileged credentials.", "risk_and_exploitability": "The CVSS score of 7.2 indicates a medium\u2011to\u2011high risk level, while an EPSS score of less than 1% suggests a low likelihood of real\u2011world exploitation at the time of this assessment. The vulnerability is not listed in CISA\u2019s KEV catalog. Based on the description, the attack vector is via the publicly accessible form submission endpoint, requiring only that an attacker crafts a request containing malicious payloads; no authentication is required. Once a victim loads a page containing the stored script, the injected code runs with the victim\u2019s privileges."}}}}, "created": "2025-12-22T11:40:13.544005+00:00", "updated": "2026-04-21T17:00:12.325255+00:00", "vendors": ["brainstormforce", "brainstormforce$PRODUCT$sureforms", "wordpress", "wordpress$PRODUCT$wordpress"]}