Sureforms
CVE-2025-3514
LOW
Severity by source
AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:N
Lifecycle Timeline
3DescriptionCVE.org
The SureForms WordPress plugin before 1.4.4 does not sanitise and escape some of its Form settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
AnalysisAI
The SureForms WordPress plugin before 1.4.4 does not sanitise and escape some of its Form settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks. Rated low severity (CVSS 3.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
Technical ContextAI
This vulnerability is classified as Cross-Site Scripting (XSS) (CWE-79), which allows attackers to inject malicious scripts into web pages viewed by other users. The SureForms WordPress plugin before 1.4.4 does not sanitise and escape some of its Form settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). Affected products include: Brainstormforce Sureforms. Version information: before 1.4.4.
RemediationAI
No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Sanitize all user input, use Content-Security-Policy headers, encode output contextually (HTML, JS, URL). Use frameworks with built-in XSS protection.
SureForms WordPress plugin before 2.11.1 permits unauthenticated attackers to submit manipulated payment amounts below t
The SureForms WordPress plugin before 1.4.4 does not have proper authorisation check when updating its settings via the
The SureForms - Drag and Drop Form Builder for WordPress plugin for WordPress is vulnerable to arbitrary file deletion d
The SureForms - Drag and Drop Form Builder for WordPress plugin for WordPress is vulnerable to PHP Object Injection in a
The SureForms WordPress plugin before 1.4.4 does not sanitise and escape some of its Form settings, which could allow hi
The SureForms WordPress plugin before 1.7.2 does not sanitise and escape a parameter before outputting it back in the pa
The SureForms - Drag and Drop Form Builder for WordPress plugin for WordPress is vulnerable to Information Exposure in a
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today