{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-5684", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-06-04T13:25:47.215Z", "datePublished": "2025-07-29T19:42:33.941Z", "dateUpdated": "2026-04-08T17:02:58.735Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:02:58.735Z"}, "affected": [{"vendor": "roxnor", "product": "MetForm \u2013 Contact Form, Survey, Quiz, & Custom Form Builder for Elementor", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "4.0.1", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The MetForm \u2013 Contact Form, Survey, Quiz, & Custom Form Builder for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `mf-template` DOM Element in all versions up to, and including, 4.0.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "title": "MetForm <= 4.0.1 - Authenticated(Contributor+) Stored Cross-Site Scripting via `mf-template` DOM Element", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/7dded505-8968-4ed2-8883-42a3ec50155c?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/metform/tags/3.9.9/public/assets/js/app.js"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Asaf Mozes"}], "timeline": [{"time": "2025-05-29T00:00:00.000Z", "lang": "en", "value": "Discovered"}, {"time": "2025-07-09T14:43:35.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2025-07-29T07:07:14.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-07-29T20:00:32.380260Z", "id": "CVE-2025-5684", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-07-29T20:00:46.035Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-5684", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-07-29T20:00:32.380260Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-07-29T20:00:37.111Z"}}], "cna": {"title": "MetForm <= 4.0.1 - Authenticated(Contributor+) Stored Cross-Site Scripting via `mf-template` DOM Element", "credits": [{"lang": "en", "type": "finder", "value": "Asaf Mozes"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "roxnor", "product": "MetForm \u2013 Contact Form, Survey, Quiz, & Custom Form Builder for Elementor", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "4.0.1"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-05-29T00:00:00.000Z", "value": "Discovered"}, {"lang": "en", "time": "2025-07-09T14:43:35.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2025-07-29T07:07:14.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/7dded505-8968-4ed2-8883-42a3ec50155c?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/metform/tags/3.9.9/public/assets/js/app.js"}], "descriptions": [{"lang": "en", "value": "The MetForm \u2013 Contact Form, Survey, Quiz, & Custom Form Builder for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `mf-template` DOM Element in all versions up to, and including, 4.0.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:02:58.735Z"}}}, "cveMetadata": {"cveId": "CVE-2025-5684", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:02:58.735Z", "dateReserved": "2025-06-04T13:25:47.215Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-07-29T19:42:33.941Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The MetForm \u2013 Contact Form, Survey, Quiz, & Custom Form Builder for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `mf-template` DOM Element in all versions up to, and including, 4.0.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}, {"lang": "es", "value": "El complemento MetForm \u2013 Contact Form, Survey, Quiz, &amp; Custom Form Builder for Elementor para WordPress es vulnerable a Cross-Site Scripting almacenado a trav\u00e9s del elemento DOM `mf-template` en todas las versiones hasta la 4.0.1 incluida, debido a una depuraci\u00f3n de entrada y un escape de salida insuficiente. Esto permite a atacantes autenticados, con acceso de colaborador o superior, inyectar scripts web arbitrarios en las p\u00e1ginas que se ejecutar\u00e1n al acceder un usuario a una p\u00e1gina inyectada."}], "id": "CVE-2025-5684", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-07-29T20:15:28.947", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/metform/tags/3.9.9/public/assets/js/app.js"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/7dded505-8968-4ed2-8883-42a3ec50155c?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T19:32:56.456289+00:00", "value": {"mitigation_remediation": ["Upgrade MetForm to the latest stable version that addresses the XSS flaw.", "If an upgrade is not immediately possible, remove or restrict Contributor and higher roles from the site, or disable form creation for those users.", "Configure a content\u2011security policy that blocks inline scripts or set X-Content-Type-Options and X-XSS-Protection headers to reduce the impact of any remaining stored payloads."], "summary": {"action": "Apply Patch", "impact": "Stored Cross-Site Scripting (XSS)"}, "threat_synthesis": {"affected_systems": "This issue affects the MetForm \u2013 Contact Form, Survey, Quiz, & Custom Form Builder for Elementor plugin distributed by roxnor. All released versions up to and including 4.0.1 are vulnerable. Customers using earlier versions should verify their installation and consider upgrading.", "description_and_impact": "The MetForm plugin is affected by a stored cross\u2011site scripting flaw that allows a contributor\u2011level user or higher to embed arbitrary JavaScript within the mf\u2011template element. When a target user views the compromised page, the malicious script runs in the victim\u2019s browser. Attackers could steal session cookies, perform actions under the victim\u2019s identity, or load external malicious content. The weakness is a classic input validation and output escaping failure classified as CWE\u201179.", "risk_and_exploitability": "The CVSS score of 6.4 indicates moderate severity. The EPSS score is less than 1%, implying low exploitation probability in the current period. The vulnerability is not yet in the CISA KEV catalog. Exploitation requires authenticated Contributor-level access, meaning the attacker must already have moderate privileges within the WordPress site. Attackers can inject malicious code through the admin interface by editing an existing form or creating a new one. Because the payload is stored, every user who opens the affected page will execute the script until the infection is removed."}}}}, "created": "2025-07-30T11:10:24.921078+00:00", "updated": "2026-04-21T19:45:16.071326+00:00", "vendors": ["elementor", "elementor$PRODUCT$elementor", "wordpress", "wordpress$PRODUCT$wordpress", "wpmet", "wpmet$PRODUCT$metform_elementor_contact_form_builder"]}