Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
4DescriptionCVE.org
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPEverest Everest Forms Pro allows Stored XSS.This issue affects Everest Forms Pro: from n/a through 1.9.10.
AnalysisAI
A stored cross-site scripting (XSS) vulnerability exists in the Everest Forms Pro WordPress plugin that allows attackers to inject malicious scripts into web pages. The plugin versions through 1.9.10 are affected, and the vulnerability can be exploited over the network with low attack complexity requiring no privileges but user interaction. With a CVSS score of 7.1 and reported by Patchstack audit team, this represents a moderate-to-high severity issue with scope change indicating potential impact beyond the vulnerable component.
Technical ContextAI
This vulnerability is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation), specifically manifesting as a stored XSS flaw. The Everest Forms Pro plugin for WordPress fails to properly sanitize and encode user-supplied input before rendering it in web pages, allowing attackers to inject JavaScript or HTML that persists in the application database. The CVSS vector indicates network-based exploitation (AV:N) with changed scope (S:C), meaning the vulnerable component and impacted component are different, typical of XSS where the attacker compromises one user's session to affect others. The affected software is a premium WordPress form builder plugin developed by WPEverest, used for creating contact forms, surveys, and other data collection interfaces on WordPress sites.
RemediationAI
Administrators should immediately upgrade Everest Forms Pro to a version newer than 1.9.10, checking the WPEverest website or WordPress dashboard for the latest patched release. Consult the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/everest-forms-pro/vulnerability/wordpress-everest-forms-pro-plugin-1-9-10-cross-site-scripting-xss-vulnerability for specific patch details and version information. Until patching is completed, consider temporarily disabling the Everest Forms Pro plugin if it is not business-critical, or restrict access to form creation and editing capabilities to only highly trusted administrators. Implement Content Security Policy (CSP) headers on the WordPress site to mitigate XSS impact by restricting script execution to trusted sources. Review existing form submissions and stored data for any suspicious JavaScript or HTML content that may have been injected prior to patching.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-13091