Severity by source
AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
Unauthenticated network injection (AV:N/AC:L/PR:N), but execution requires an admin to view the entries page (UI:R); scope changes to admin session with limited C/I impact.
Primary rating from Vendor (Wordfence).
CVSS VectorVendor: Wordfence
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
Lifecycle Timeline
2DescriptionCVE.org
The ARForms plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the value parameter of the arf_save_incomplete_form_data AJAX action in all versions up to, and including, 7.1.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts that will execute whenever an administrator views the "Partial Filled Form Entries" page in the ARForms dashboard.
Articles & Coverage 1
AnalysisAI
Stored cross-site scripting in the ARForms WordPress plugin (versions ≤7.1.3) allows unauthenticated remote attackers to inject arbitrary JavaScript via the value parameter of the arf_save_incomplete_form_data AJAX endpoint, with the payload executing in an administrator's browser when they view the Partial Filled Form Entries dashboard page. No public exploit identified at time of analysis, though Wordfence's disclosure provides enough technical detail to reproduce the injection. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The target site must run the ARForms plugin at version 7.1.3 or earlier with the partial-form-save (incomplete entries) feature enabled so that the `arf_save_incomplete_form_data` AJAX action is reachable on `wp-admin/admin-ajax.php`. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N, score 7.2 High) reflects an unauthenticated network-reachable injection with a scope change, since the script crosses from anonymous-visitor context to an administrator session. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An unauthenticated attacker sends a POST to `/wp-admin/admin-ajax.php` with `action=arf_save_incomplete_form_data` and a `value` field containing a JavaScript payload (e.g., a stored `<script>` that creates a new administrator user via the REST API). The payload is persisted and later executes in the browser of any administrator who opens the Partial Filled Form Entries page in the ARForms dashboard, granting the attacker administrative control of WordPress and a typical pivot to PHP code execution via plugin/theme upload. … |
| Remediation | No vendor-released patch identified at time of analysis - the references include only the Wordfence advisory and the CodeCanyon product page, with no fixed-version designation. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
WITHIN 24 HOURS: Inventory all WordPress instances running ARForms version 7.1.3 or lower; immediately deactivate the plugin across all affected systems; audit administrator login logs for unauthorized access. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Reflected cross-site scripting in the ARForms WordPress plugin (versions 7.1.2 and earlier) lets an unauthenticated remo
The Contact Form, Survey, Quiz & Popup Form Builder WordPress plugin before 1.7.1 does not sanitise and escape some para
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38644
GHSA-74c3-6w2v-rcqg