The weForms plugin for WordPress suffers from a stored XSS vulnerability in its REST API entry submission endpoint. The root cause is inconsistent sanitization: frontend submissions sanitize input via the weforms_clean() function, but REST API submissions bypass this and only apply trim() to input values. This allows authenticated attackers with Subscriber-level privileges or higher to inject arbitrary JavaScript into hidden form fields. When an administrator views the entries page, the injected scripts execute because the data is rendered using Vue.js's v-html directive without escaping. This vulnerability affects all versions up to and including 1.6.27.

An attacker with at least Subscriber-level access can inject malicious scripts into form entries via the REST API. These scripts execute in the context of an administrator's browser when viewing the form entries page, potentially leading to session hijacking, privilege escalation, or other malicious actions limited to the administrator's privileges. The vulnerability does not impact availability and requires authenticated access, but it compromises integrity and confidentiality to a limited extent.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fix is available, restrict REST API access to trusted users only and avoid granting Subscriber-level or higher privileges to untrusted users. Administrators should be cautious when viewing form entries submitted via the REST API. Monitor official boldgrid advisories for updates and patches.