Skip to main content

Zigaform WordPress CVE-2025-26994

HIGH
Cross-site Scripting (XSS) (CWE-79)
2025-03-03 audit@patchstack.com
7.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

7
Analysis Updated
Apr 25, 2026 - 00:57 vuln.today
v3 (cvss_changed)
Analysis Updated
Apr 25, 2026 - 00:57 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Apr 23, 2026 - 15:42 vuln.today
cvss_changed
Severity Changed
Apr 23, 2026 - 15:42 NVD
MEDIUM HIGH
CVSS changed
Apr 23, 2026 - 15:42 NVD
6.1 (MEDIUM) 7.1 (HIGH)
Analysis Generated
Mar 28, 2026 - 18:29 vuln.today
CVE Published
Mar 03, 2025 - 14:15 nvd
MEDIUM 6.1

DescriptionCVE.org

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in softdiscover Zigaform - Price Calculator & Cost Estimation Form Builder Lite allows Stored XSS. This issue affects Zigaform - Price Calculator & Cost Estimation Form Builder Lite: from n/a through 7.4.2.

AnalysisAI

Stored cross-site scripting in Zigaform WordPress plugin versions up to 7.4.2 allows unauthenticated attackers to inject malicious scripts that execute when administrators or users view affected form submissions. The vulnerability achieves changed scope (S:C in CVSS vector), enabling attackers to compromise admin sessions and potentially take over WordPress sites. EPSS probability is low at 0.08% (25th percentile), indicating limited observed exploitation activity. Patchstack vulnerability database confirms the issue but fix version is not independently verified from available data.

Technical ContextAI

The vulnerability exists in Zigaform, a WordPress plugin (cpe:2.3:a:softdiscover:zigaform) for building price calculators and estimation forms. The root cause is CWE-79 (Improper Neutralization of Input During Web Page Generation), specifically a stored XSS variant. The plugin fails to properly sanitize user-supplied input before storing and rendering it in the WordPress admin interface. Unlike reflected XSS, stored XSS persists in the database and executes each time the contaminated data is displayed, making it particularly dangerous in form builder plugins where admin users regularly review submissions. The changed scope (S:C) in the CVSS vector indicates the vulnerability can affect resources beyond the plugin's own security boundary, allowing attackers to compromise the broader WordPress installation and potentially other plugins or the underlying site.

RemediationAI

Check the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/zigaform-calculator-cost-estimation-form-builder-lite/vulnerability/wordpress-zigaform-price-calculator-cost-estimation-form-builder-lite-plugin-7-4-2-cross-site-scripting-xss-vulnerability for vendor-recommended fixes. As of this analysis, a specific patched version number is not independently confirmed from NVD or vendor sources. If no patch is available, implement these compensating controls: Restrict form submission access to authenticated trusted users only via WordPress user role requirements, reducing attack surface from unauthenticated (PR:N) to privileged users. Disable the Zigaform plugin entirely if price calculator functionality is not business-critical. Deploy WordPress security plugins with XSS filtering capabilities to provide defense-in-depth, though this is not a substitute for patching. Implement Content Security Policy headers to mitigate XSS execution, though stored XSS in admin contexts may bypass some CSP protections. Review existing form submissions in the Zigaform database for suspicious JavaScript payloads (search for script tags, event handlers, javascript: protocol) before patch application.

Share

CVE-2025-26994 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy