CVE-2025-3794 is a medium-severity Stored Cross-Site Scripting (XSS) vulnerability affecting the WPForms plugin for WordPress, specifically versions up to and including 1.9.5. WPForms is a widely used plugin that enables users to create contact forms, payment forms, surveys, and other interactive elements on WordPress sites. The vulnerability arises from improper neutralization of input during web page generation (CWE-79), specifically through the 'start_timestamp' parameter. Due to insufficient input sanitization and output escaping, authenticated users with Contributor-level access or higher can inject arbitrary JavaScript code into pages. This malicious script executes whenever any user accesses the compromised page, potentially leading to session hijacking, defacement, or redirection to malicious sites. The CVSS 3.1 base score is 5.4 (medium), with an attack vector of network (remote), low attack complexity, requiring privileges (Contributor or above), and user interaction (victim must visit the injected page). The scope is changed, indicating that the vulnerability can affect resources beyond the initially vulnerable component. No known exploits are currently reported in the wild, and no official patches have been linked yet. The vulnerability was reserved in April 2025 and published in May 2025, indicating recent discovery and disclosure. Given the popularity of WordPress and WPForms, this vulnerability poses a significant risk to websites relying on this plugin, especially those allowing multiple contributors to add or edit content.

For European organizations, this vulnerability can lead to unauthorized script execution on their websites, compromising user data confidentiality and integrity. Attackers could steal session cookies, perform phishing attacks, or manipulate website content, damaging brand reputation and user trust. Organizations in sectors such as e-commerce, finance, healthcare, and government, which often use WordPress for public-facing sites, could face regulatory scrutiny under GDPR if personal data is compromised. The requirement for Contributor-level access means insider threats or compromised contributor accounts can be leveraged to exploit the vulnerability. The scope change implies that the impact could extend beyond the plugin itself, potentially affecting other site components or user sessions. Although no known exploits are reported, the medium CVSS score and ease of exploitation by authenticated users make timely mitigation critical to prevent potential attacks.

European organizations should immediately audit their WordPress installations to identify if WPForms plugin versions up to 1.9.5 are in use. Until an official patch is released, organizations should restrict Contributor-level access to trusted users only and review user roles to minimize the number of users with such privileges. Implementing Web Application Firewalls (WAF) with custom rules to detect and block suspicious input patterns in the 'start_timestamp' parameter can provide temporary protection. Additionally, applying Content Security Policy (CSP) headers can help mitigate the impact of injected scripts by restricting script execution sources. Regularly monitoring website logs for unusual activity and user behavior can aid in early detection of exploitation attempts. Once a patch is available, prompt application is essential. Organizations should also educate contributors about safe input practices and the risks of injecting untrusted content.