Zigaform Form Builder Lite CVE-2025-26989
HIGHSeverity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
7DescriptionCVE.org
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in softdiscover Zigaform - Form Builder Lite allows Stored XSS. This issue affects Zigaform - Form Builder Lite: from n/a through 7.4.2.
AnalysisAI
Stored cross-site scripting (XSS) in Zigaform Form Builder Lite WordPress plugin through version 7.4.2 allows unauthenticated remote attackers to inject malicious scripts that execute in victims' browsers. The vulnerability requires user interaction (viewing the stored malicious content) and enables changed scope impact, potentially compromising administrator sessions and site integrity. EPSS score of 0.08% (25th percentile) indicates low observed exploitation probability despite the network-accessible attack vector. Patchstack database confirms the vulnerability but patch status is not documented in available references.
Technical ContextAI
This vulnerability affects the Zigaform Form Builder Lite WordPress plugin (cpe:2.3:a:softdiscover:zigaform:*:*:*:*:*:wordpress:*:*), a form creation and management tool for WordPress sites. The flaw represents CWE-79 (Improper Neutralization of Input During Web Page Generation), indicating inadequate input sanitization or output encoding when processing user-supplied data that is later rendered in web pages. Stored XSS occurs when malicious payloads are persisted in the application database (typically through form submissions or configuration settings) and subsequently executed when other users view the affected content. The changed scope (S:C) in the CVSS vector indicates the vulnerable component (the plugin) can affect resources beyond its security scope, meaning successful exploitation can compromise the broader WordPress installation and user sessions outside the plugin itself.
RemediationAI
Primary remediation requires updating to a patched version once available - monitor the official WordPress plugin repository and Softdiscover vendor communications for release announcements addressing CVE-2025-26989. Check the Patchstack reference at https://patchstack.com/database/wordpress/plugin/zigaform-form-builder-lite/vulnerability/wordpress-zigaform-form-builder-lite-plugin-7-4-2-cross-site-scripting-xss-vulnerability for updated patch information. If no patch is immediately available, implement these compensating controls: (1) Restrict form creation and configuration privileges to only trusted administrator accounts, removing contributor/editor access to Zigaform settings (reduces injection surface but does not prevent admin-level attacks); (2) Deploy web application firewall (WAF) rules to detect and block common XSS payloads in form submissions, though sophisticated encoding bypasses may evade signature-based detection; (3) Enable Content Security Policy (CSP) headers with strict script-src directives to prevent inline script execution, noting this may break legitimate plugin functionality requiring careful testing; (4) Audit existing forms and stored submissions for malicious content using XSS detection tools before high-privilege users access the WordPress admin interface. Consider temporarily disabling the plugin if forms are non-critical to operations until a confirmed patch becomes available. Each mitigation layer adds defense depth but none fully eliminates risk for stored XSS vulnerabilities.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today