CVE-2025-3794 identifies a stored Cross-Site Scripting (XSS) vulnerability in the WPForms – Easy Form Builder for WordPress plugin, which is widely used for creating contact forms, payment forms, surveys, and more. The vulnerability is due to improper neutralization of input during web page generation, specifically involving the start_timestamp parameter. This parameter is not adequately sanitized or escaped before being rendered on pages, allowing an authenticated attacker with at least Contributor-level privileges to inject arbitrary JavaScript code. When other users access the affected pages, the malicious scripts execute in their browsers, potentially compromising their session cookies, redirecting them to malicious sites, or performing unauthorized actions on their behalf. The vulnerability affects all versions up to and including 1.9.5. The CVSS 3.1 base score is 5.4, reflecting a medium severity with network attack vector, low attack complexity, requiring privileges and user interaction, and impacting confidentiality and integrity but not availability. No public exploits are known at this time, but the vulnerability is publicly disclosed and enriched by CISA, indicating the need for attention. The scope is changed (S:C) because the vulnerability can affect other users beyond the attacker. This type of stored XSS is particularly dangerous in multi-user environments like WordPress sites with multiple contributors. The lack of a patch link suggests that a fix may not yet be available, emphasizing the importance of interim mitigations.

The primary impact of this vulnerability is the potential compromise of user confidentiality and integrity on affected WordPress sites. Attackers with Contributor-level access can inject malicious scripts that execute in the context of other users’ browsers, leading to session hijacking, credential theft, unauthorized actions, or site defacement. This can erode user trust, damage brand reputation, and potentially lead to data breaches if sensitive information is exposed. Since WordPress powers a large percentage of websites globally, including many business and e-commerce sites, the impact can be widespread. The vulnerability does not affect availability directly but can facilitate further attacks that might. Organizations relying on WPForms for critical forms and data collection are at particular risk. The requirement for authenticated access limits exploitation to insiders or compromised accounts, but this is a common scenario in collaborative environments. The scope change means that the impact extends beyond the attacker, affecting all users who view the injected content.

1. Immediately restrict Contributor-level and higher privileges to trusted users only, minimizing the risk of malicious input. 2. Monitor and audit existing form entries and pages for suspicious or unexpected script content, removing any malicious injections. 3. Implement Web Application Firewall (WAF) rules to detect and block common XSS payloads targeting the start_timestamp parameter or form inputs. 4. Use Content Security Policy (CSP) headers to restrict the execution of inline scripts and reduce the impact of injected scripts. 5. Regularly update the WPForms plugin as soon as the vendor releases a patch addressing this vulnerability. 6. Educate site administrators and contributors about safe input practices and the risks of XSS. 7. Consider temporarily disabling or limiting form functionality that uses the vulnerable parameter until a patch is available. 8. Employ security plugins that provide additional input sanitization and output escaping layers beyond the plugin’s default behavior.