Skip to main content

ARForms EUVDEUVD-2026-38644

| CVE-2026-3652 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-06-24 Wordfence GHSA-74c3-6w2v-rcqg
7.2
CVSS 3.1 · Vendor: Wordfence
Share

Severity by source

Vendor (Wordfence) PRIMARY
7.2 HIGH
AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
vuln.today AI
6.1 MEDIUM

Unauthenticated network injection (AV:N/AC:L/PR:N), but execution requires an admin to view the entries page (UI:R); scope changes to admin session with limited C/I impact.

3.1 AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (Wordfence).

CVSS VectorVendor: Wordfence

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jun 24, 2026 - 03:43 vuln.today
CVE Published
Jun 24, 2026 - 02:29 cve.org
HIGH 7.2

DescriptionCVE.org

The ARForms plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the value parameter of the arf_save_incomplete_form_data AJAX action in all versions up to, and including, 7.1.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts that will execute whenever an administrator views the "Partial Filled Form Entries" page in the ARForms dashboard.

AnalysisAI

Stored cross-site scripting in the ARForms WordPress plugin (versions ≤7.1.3) allows unauthenticated remote attackers to inject arbitrary JavaScript via the value parameter of the arf_save_incomplete_form_data AJAX endpoint, with the payload executing in an administrator's browser when they view the Partial Filled Form Entries dashboard page. No public exploit identified at time of analysis, though Wordfence's disclosure provides enough technical detail to reproduce the injection. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Identify WordPress site running ARForms ≤7.1.3
Delivery
POST XSS payload to arf_save_incomplete_form_data AJAX action
Exploit
Payload stored in partial-entries table
Install
Administrator opens Partial Filled Form Entries page
C2
Script executes in admin session
Execute
Create rogue admin or upload malicious plugin
Impact
Full site takeover

Vulnerability AssessmentAI

Exploitation The target site must run the ARForms plugin at version 7.1.3 or earlier with the partial-form-save (incomplete entries) feature enabled so that the `arf_save_incomplete_form_data` AJAX action is reachable on `wp-admin/admin-ajax.php`. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N, score 7.2 High) reflects an unauthenticated network-reachable injection with a scope change, since the script crosses from anonymous-visitor context to an administrator session. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An unauthenticated attacker sends a POST to `/wp-admin/admin-ajax.php` with `action=arf_save_incomplete_form_data` and a `value` field containing a JavaScript payload (e.g., a stored `<script>` that creates a new administrator user via the REST API). The payload is persisted and later executes in the browser of any administrator who opens the Partial Filled Form Entries page in the ARForms dashboard, granting the attacker administrative control of WordPress and a typical pivot to PHP code execution via plugin/theme upload. …
Remediation No vendor-released patch identified at time of analysis - the references include only the Wordfence advisory and the CodeCanyon product page, with no fixed-version designation. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

WITHIN 24 HOURS: Inventory all WordPress instances running ARForms version 7.1.3 or lower; immediately deactivate the plugin across all affected systems; audit administrator login logs for unauthorized access. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-38644 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy