Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Network-reachable reflected XSS needs no auth (PR:N) but requires victim click (UI:R); scope changes to the browser (S:C) with limited confidentiality/integrity and no genuine availability impact (A:N).
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
1DescriptionCVE.org
Unauthenticated Cross Site Scripting (XSS) in ARForms <= 7.1.2 versions.
AnalysisAI
Reflected cross-site scripting in the ARForms WordPress plugin (versions 7.1.2 and earlier) lets an unauthenticated remote attacker inject script into a victim's browser when the victim clicks a crafted link. Because the CVSS scope is changed (S:C), successful injection can affect the broader WordPress session/DOM context rather than only the form. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires no authentication (PR:N) but does require victim interaction (UI:R): the target must click or load an attacker-crafted URL carrying the XSS payload into the vulnerable reflected parameter of an ARForms <= 7.1.2 installation. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 base score is 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L): network-reachable, low complexity, and no privileges required, but exploitation is gated by user interaction (UI:R) since a victim must follow an attacker-supplied link. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker crafts a URL to a vulnerable ARForms endpoint containing a malicious script payload in a reflected parameter and distributes it via phishing email or a malicious page. When a logged-in administrator or site visitor clicks the link, the script executes in their browser under the site's origin, enabling session cookie theft, credential harvesting, or forged actions. … |
| Remediation | No vendor-released patch version was identified in the available data; the primary action is to upgrade to the first ARForms release published after 7.1.2 (verify the exact fixed version directly against the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/arforms/vulnerability/wordpress-arforms-plugin-7-1-2-reflected-cross-site-scripting-xss-vulnerability and the WordPress.org plugin changelog before deploying). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Conduct inventory of all WordPress installations running ARForms plugin and identify affected versions. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Stored cross-site scripting in the ARForms WordPress plugin (versions ≤7.1.3) allows unauthenticated remote attackers to
The Contact Form, Survey, Quiz & Popup Form Builder WordPress plugin before 1.7.1 does not sanitise and escape some para
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-40109
GHSA-2gv4-h2pg-hjh9