CVE-2026-2707 is a stored cross-site scripting (XSS) vulnerability identified in the weForms plugin for WordPress, a popular drag-and-drop contact form builder. The vulnerability affects all versions up to and including 1.6.27. The root cause is inconsistent input sanitization between two submission methods: frontend AJAX handlers and REST API entry submissions. Specifically, when form entries are submitted via the REST API endpoint (/wp-json/weforms/v1/forms/{id}/entries/), the plugin's prepare_entry() method receives the WP_REST_Request object as $args, bypassing the weforms_clean() sanitization function that normally cleans $_POST data during frontend submissions. Instead, the base field handler applies only a trim() operation to the input value, leaving it vulnerable to injection of malicious scripts. Authenticated attackers with Subscriber-level privileges or higher can exploit this by injecting arbitrary JavaScript into hidden form fields via the REST API. These scripts execute in the context of the administrator's browser when viewing the form entries page, which uses Vue.js's v-html directive to render entry data without escaping HTML content. This leads to stored XSS that compromises confidentiality and integrity by potentially stealing admin session cookies or performing unauthorized actions. The vulnerability has a CVSS 3.1 score of 6.4, reflecting medium severity with network attack vector, low attack complexity, and privileges required but no user interaction. No public exploits are currently known. The vulnerability was reserved on 2026-02-18 and published on 2026-03-11. The plugin vendor has not yet released a patch, so mitigation relies on restricting REST API access and additional input validation.

The primary impact of CVE-2026-2707 is the compromise of administrative confidentiality and integrity within WordPress sites using the vulnerable weForms plugin. An attacker with low-level authenticated access (Subscriber or above) can inject malicious JavaScript into form entries that execute when administrators view submissions. This can lead to session hijacking, privilege escalation, or unauthorized administrative actions. Since the vulnerability is stored XSS, the malicious payload persists and can affect multiple administrators over time. Although availability is not directly impacted, the breach of administrative control can lead to further attacks disrupting site operations. Organizations relying on weForms for contact forms or data collection face risks of data leakage, defacement, or malware distribution. The medium CVSS score reflects the need for timely remediation, especially in environments with multiple administrators or high-value data. The lack of public exploits reduces immediate risk but does not eliminate it, as attackers may develop exploits. The vulnerability's exploitation requires authenticated access, limiting exposure to external unauthenticated attackers but still posing significant risk from compromised or malicious low-privilege users.

1. Apply official patches from the weForms plugin vendor as soon as they become available to address the input sanitization flaw. 2. Until patches are released, restrict REST API access to trusted users only by implementing authentication and authorization controls, such as limiting access to known IP addresses or roles. 3. Implement additional input validation and sanitization on server-side REST API endpoints, ensuring all input fields are properly escaped or stripped of HTML/JavaScript content before storage. 4. Disable or restrict use of the REST API endpoints related to form entries if not required. 5. Educate administrators to avoid clicking suspicious links or viewing untrusted form entries until the vulnerability is remediated. 6. Monitor logs for unusual REST API activity or form submissions from low-privilege users. 7. Consider deploying Web Application Firewalls (WAFs) with rules to detect and block XSS payloads targeting the REST API endpoints. 8. Review and harden WordPress user roles and permissions to minimize the number of users with Subscriber or higher privileges. 9. Regularly audit installed plugins and remove unused or outdated ones to reduce attack surface.