Zigaform WordPress CVE-2025-26994
HIGHSeverity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
7DescriptionCVE.org
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in softdiscover Zigaform - Price Calculator & Cost Estimation Form Builder Lite allows Stored XSS. This issue affects Zigaform - Price Calculator & Cost Estimation Form Builder Lite: from n/a through 7.4.2.
AnalysisAI
Stored cross-site scripting in Zigaform WordPress plugin versions up to 7.4.2 allows unauthenticated attackers to inject malicious scripts that execute when administrators or users view affected form submissions. The vulnerability achieves changed scope (S:C in CVSS vector), enabling attackers to compromise admin sessions and potentially take over WordPress sites. EPSS probability is low at 0.08% (25th percentile), indicating limited observed exploitation activity. Patchstack vulnerability database confirms the issue but fix version is not independently verified from available data.
Technical ContextAI
The vulnerability exists in Zigaform, a WordPress plugin (cpe:2.3:a:softdiscover:zigaform) for building price calculators and estimation forms. The root cause is CWE-79 (Improper Neutralization of Input During Web Page Generation), specifically a stored XSS variant. The plugin fails to properly sanitize user-supplied input before storing and rendering it in the WordPress admin interface. Unlike reflected XSS, stored XSS persists in the database and executes each time the contaminated data is displayed, making it particularly dangerous in form builder plugins where admin users regularly review submissions. The changed scope (S:C) in the CVSS vector indicates the vulnerability can affect resources beyond the plugin's own security boundary, allowing attackers to compromise the broader WordPress installation and potentially other plugins or the underlying site.
RemediationAI
Check the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/zigaform-calculator-cost-estimation-form-builder-lite/vulnerability/wordpress-zigaform-price-calculator-cost-estimation-form-builder-lite-plugin-7-4-2-cross-site-scripting-xss-vulnerability for vendor-recommended fixes. As of this analysis, a specific patched version number is not independently confirmed from NVD or vendor sources. If no patch is available, implement these compensating controls: Restrict form submission access to authenticated trusted users only via WordPress user role requirements, reducing attack surface from unauthenticated (PR:N) to privileged users. Disable the Zigaform plugin entirely if price calculator functionality is not business-critical. Deploy WordPress security plugins with XSS filtering capabilities to provide defense-in-depth, though this is not a substitute for patching. Implement Content Security Policy headers to mitigate XSS execution, though stored XSS in admin contexts may bypass some CSP protections. Review existing form submissions in the Zigaform database for suspicious JavaScript payloads (search for script tags, event handlers, javascript: protocol) before patch application.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today