{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-5055", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-05-21T14:31:38.535Z", "datePublished": "2025-05-24T02:23:03.771Z", "dateUpdated": "2026-04-08T17:03:20.665Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:03:20.665Z"}, "affected": [{"vendor": "edgarrojas", "product": "Smart Forms \u2013 when you need more than just a contact form", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "2.6.98", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Smart Forms \u2013 when you need more than just a contact form plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 2.6.98 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled."}], "title": "Smart Forms <= 2.6.98 - Authenticated (Admin+) Stored Cross-Site Scripting", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/7f52cbb4-8fe3-4402-8ece-261d32329a42?source=cve"}, {"url": "https://wordpress.org/plugins/smart-forms/"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3337491%40smart-forms&new=3337491%40smart-forms&sfp_email=&sfph_mail="}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N", "baseScore": 4.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Joel Indra"}], "timeline": [{"time": "2025-05-23T13:53:24.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-05-24T10:05:02.520487Z", "id": "CVE-2025-5055", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-05-24T10:05:18.759Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-5055", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-05-24T10:05:02.520487Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-05-24T10:05:14.879Z"}}], "cna": {"title": "Smart Forms <= 2.6.98 - Authenticated (Admin+) Stored Cross-Site Scripting", "credits": [{"lang": "en", "type": "finder", "value": "Joel Indra"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "edgarrojas", "product": "Smart Forms \u2013 when you need more than just a contact form", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "2.6.98"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-05-23T13:53:24.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/7f52cbb4-8fe3-4402-8ece-261d32329a42?source=cve"}, {"url": "https://wordpress.org/plugins/smart-forms/"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3337491%40smart-forms&new=3337491%40smart-forms&sfp_email=&sfph_mail="}], "descriptions": [{"lang": "en", "value": "The Smart Forms \u2013 when you need more than just a contact form plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 2.6.98 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:03:20.665Z"}}}, "cveMetadata": {"cveId": "CVE-2025-5055", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:03:20.665Z", "dateReserved": "2025-05-21T14:31:38.535Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-05-24T02:23:03.771Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Smart Forms \u2013 when you need more than just a contact form plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 2.6.98 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled."}, {"lang": "es", "value": "El complemento Smart Forms \u2013 when you need more than just a contact form para WordPress son vulnerables a cross-site scripting almacenado a trav\u00e9s de la configuraci\u00f3n de administrador en todas las versiones hasta la 2.6.98 incluida, debido a una depuraci\u00f3n de entrada y un escape de salida insuficientes. Esto permite a atacantes autenticados, con permisos de administrador o superiores, inyectar scripts web arbitrarios en las p\u00e1ginas que se ejecutar\u00e1n al acceder un usuario a una p\u00e1gina inyectada. Esto solo afecta a instalaciones multisitio y a instalaciones donde se ha deshabilitado unfiltered_html."}], "id": "CVE-2025-5055", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 1.3, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-05-24T03:15:24.523", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3337491%40smart-forms&new=3337491%40smart-forms&sfp_email=&sfph_mail="}, {"source": "security@wordfence.com", "url": "https://wordpress.org/plugins/smart-forms/"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/7f52cbb4-8fe3-4402-8ece-261d32329a42?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T20:38:56.259485+00:00", "value": {"mitigation_remediation": ["Upgrade Smart Forms to version 2.6.99 or later to eliminate the vulnerability.", "If a version upgrade is not immediately possible, remove the unfiltered_html capability from the site or deactivate the plugin, and restrict administrator rights to trusted users only.", "Implement a security plugin that validates and sanitizes all form input, and monitor site logs for unexpected script activity."], "summary": {"action": "Immediate Patch", "impact": "Stored cross\u2011site scripting via admin settings"}, "threat_synthesis": {"affected_systems": "WordPress installations running Smart Forms up to and including version 2.6.98 are affected. The vulnerability applies only to multisite WordPress environments and to sites where the unfiltered_html capability has been disabled. The plugin is distributed by the vendor edgarrojas under the name \"Smart Forms \u2013 when you need more than just a contact form.\" All other versions are assumed unaffected.", "description_and_impact": "The Smart Forms plugin for WordPress allows a user with administrator level access or higher to inject arbitrary JavaScript into the plugin\u2019s admin settings. Because the input is insufficiently sanitized and not properly escaped, the data is stored in the database and later rendered on pages accessed by any user of the site. This Stored XSS flaw (CWE\u201179) can be used to execute scripts in visitors\u2019 browsers, potentially leading to session hijacking, data theft, or site defacement.", "risk_and_exploitability": "The CVSS score of 4.4 indicates a moderate severity. The EPSS score of less than 1% reflects a very low probability of exploitation as of the latest data. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires that an attacker already possess administrator-level credentials or succeed in obtaining them; therefore, the risk is primarily among sites with weak access controls or compromised admin accounts."}}}}, "created": "2026-04-21T20:45:25.979725+00:00", "updated": "2026-04-21T20:45:25.979735+00:00", "vendors": []}