Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Network-reachable unauthenticated XSS requiring victim interaction; script executes in WordPress origin (scope change) with limited C/I/A impact typical of reflected/stored XSS.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
1DescriptionCVE.org
Unauthenticated Cross Site Scripting (XSS) in CformsII <= 15.1.3 versions.
AnalysisAI
Stored/reflected cross-site scripting in the CformsII WordPress plugin (versions ≤ 15.1.3) allows unauthenticated remote attackers to inject malicious JavaScript that executes in a victim's browser when the crafted content is rendered, enabling session hijacking, credential theft, or actions on behalf of authenticated users including administrators. The flaw was reported by Patchstack and carries a CVSS 3.1 score of 7.1 (UI:R, scope-changed). No public exploit identified at time of analysis and EPSS data was not provided.
Technical ContextAI
CformsII (cpe:2.3:a:bgermann:cformsii) is a WordPress form-builder plugin used to create contact and feedback forms. The root cause is CWE-79 (Improper Neutralization of Input During Web Page Generation), meaning user-supplied input - likely passed through a form field, parameter, or shortcode handler - is rendered back into HTML/JavaScript context without proper output encoding or input sanitization. Because WordPress plugins render content inside the same origin as the admin dashboard, an XSS payload that fires for a logged-in administrator can escalate to full site compromise via plugin/theme editing or arbitrary PHP execution.
RemediationAI
No vendor-released patch identified at time of analysis - the Patchstack advisory and NVD entry list 15.1.3 as the highest known-vulnerable version with no fixed version published, so administrators should upgrade to a version newer than 15.1.3 once released by the maintainer (monitor the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/cforms2/vulnerability/wordpress-cformsii-plugin-15-1-3-cross-site-scripting-xss-vulnerability). Until a fix ships, compensating controls include deactivating and removing the CformsII plugin (side effect: any forms built with it stop working and must be migrated to an alternative such as Contact Form 7 or WPForms), placing a Web Application Firewall rule (e.g., Patchstack's vPatch, Wordfence, or Cloudflare managed rules) in front of vulnerable endpoints to filter script-bearing payloads (side effect: possible false positives on legitimate rich-text submissions), and restricting unauthenticated form submissions via reCAPTCHA or IP allow-listing to reduce drive-by injection attempts (side effect: degraded UX for legitimate users).
Unrestricted file upload vulnerability in lib_nonajax.php in the CformsII plugin 14.7 and earlier for WordPress allows r
The cforms2 plugin before 15.0.2 for WordPress has CSRF related to the IP address field. Rated high severity (CVSS 8.8),
Cross-Site Request Forgery (CSRF) vulnerability in Oliver Seidel, Bastian Germann cformsII plugin <= 15.0.4 versions. Ra
Cross-Site Request Forgery in the CformsII WordPress plugin (bgermann) through version 15.1.3 allows remote unauthentica
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-36925
GHSA-qpmw-qc78-jhmg