CVE-2025-5684 is a stored cross-site scripting vulnerability identified in the MetForm – Contact Form, Survey, Quiz, & Custom Form Builder plugin for Elementor, a popular WordPress plugin. The vulnerability exists due to improper neutralization of input during web page generation, specifically involving the mf-template DOM element. This flaw allows authenticated attackers with Contributor-level privileges or higher to inject arbitrary JavaScript code into pages generated by the plugin. Because the injected scripts are stored persistently, they execute whenever any user accesses the affected page, potentially compromising user sessions, stealing credentials, or performing unauthorized actions on behalf of users. The vulnerability affects all versions up to and including 4.0.1. The CVSS 3.1 base score is 6.4, reflecting a medium severity with network attack vector, low attack complexity, privileges required (Contributor or higher), no user interaction needed, and a scope change due to affecting other users. No patches or exploit code are currently publicly available, but the risk remains significant due to the widespread use of WordPress and this plugin. The vulnerability stems from insufficient input sanitization and output escaping, which are critical for preventing XSS attacks. Attackers exploiting this vulnerability can bypass typical user input restrictions by leveraging Contributor-level access, which is often granted to less trusted users in WordPress environments. This elevates the risk of insider threats or compromised accounts being used to inject malicious scripts. The persistent nature of stored XSS increases the attack surface and potential impact compared to reflected XSS. The vulnerability is cataloged under CWE-79, which covers improper neutralization of input during web page generation. Given the plugin’s popularity, this vulnerability could affect a large number of WordPress sites globally, especially those that allow Contributor-level access without strict controls. Organizations relying on MetForm should monitor for updates from the vendor and implement compensating controls to mitigate risk until a patch is available.

The primary impact of CVE-2025-5684 is the compromise of confidentiality and integrity for websites using the vulnerable MetForm plugin. Exploitation allows attackers to execute arbitrary JavaScript in the context of the affected site, potentially leading to session hijacking, theft of sensitive user data, unauthorized actions performed with victim user privileges, and defacement or redirection of web pages. Because the vulnerability requires only Contributor-level access, attackers can leverage compromised or malicious user accounts to inject persistent malicious scripts. This can facilitate further attacks such as privilege escalation, spreading malware, or phishing campaigns targeting site visitors or administrators. The scope of impact extends to all users who visit the infected pages, increasing the risk to site visitors and administrators alike. Although availability is not directly impacted, the reputational damage and potential data breaches can have significant operational and financial consequences. Organizations with large user bases or handling sensitive information are at higher risk. The vulnerability also raises compliance concerns under data protection regulations if user data is compromised. Given the widespread use of WordPress and the MetForm plugin, the potential attack surface is substantial, affecting organizations worldwide that rely on these technologies for website functionality.

To mitigate CVE-2025-5684, organizations should immediately restrict Contributor-level access to trusted users only, minimizing the risk of malicious script injection. Implement strict user role management and audit Contributor accounts for suspicious activity. Deploy a web application firewall (WAF) with rules designed to detect and block common XSS payloads, especially targeting the mf-template DOM element. Monitor website content and logs for unusual script insertions or modifications. Until an official patch is released, consider disabling or replacing the MetForm plugin with alternative form builders that do not exhibit this vulnerability. Educate site administrators and users about the risks of XSS and the importance of cautious privilege assignment. Regularly update WordPress core and all plugins to the latest versions once patches become available. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts on the site. Conduct penetration testing and vulnerability scans focusing on XSS vectors to identify and remediate any residual issues. Finally, maintain backups of website data to enable quick recovery if exploitation occurs.