Skip to main content

WP Cost Estimation EUVDEUVD-2026-42579

| CVE-2026-9253 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-07-09 Wordfence GHSA-vm5v-xgw5-w82m
7.2
CVSS 3.1 · Vendor: Wordfence
Share

Severity by source

Vendor (Wordfence) PRIMARY
7.2 HIGH
AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
vuln.today AI
7.2 HIGH

Unauthenticated network-reachable stored XSS (AV:N/AC:L/PR:N); scope changes into victims' browser context (S:C) with limited confidentiality/integrity via scripting and no availability impact.

3.1 AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (Wordfence).

CVSS VectorVendor: Wordfence

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jul 09, 2026 - 12:02 vuln.today
CVE Published
Jul 09, 2026 - 11:27 cve.org
HIGH 7.2

DescriptionCVE.org

The WP Cost Estimation & Payment Forms Builder (E&P Forms) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'customerInfos' parameter in all versions up to, and including, 10.5.97 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

AnalysisAI

Stored cross-site scripting in the WP Cost Estimation & Payment Forms Builder (E&P Forms) WordPress plugin (Loopus) affects all versions through 10.5.97 and lets unauthenticated attackers persist arbitrary JavaScript via the 'customerInfos' parameter that fires when any user later views the injected page. Reported by Wordfence with a CVSS 3.1 base score of 7.2 (scope-changed), this is a persistent, no-authentication injection primitive rather than a reflected one. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Locate site running vulnerable E&P Forms
Delivery
Submit form with malicious customerInfos payload
Exploit
Payload stored unsanitized in page
Execution
Victim/admin loads injected page
Persist
Script executes in their session
Impact
Steal cookies or forge admin actions

Vulnerability AssessmentAI

Exploitation Exploitation requires that the site run the WP Cost Estimation & Payment Forms Builder plugin (version ≤ 10.5.97) with a form that accepts and stores the 'customerInfos' field reachable by an unauthenticated user. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N describes a network-reachable, low-complexity, unauthenticated attack with a changed scope and limited confidentiality/integrity impact - consistent with stored XSS reaching other users' browsers. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An unauthenticated attacker submits a crafted form entry setting the 'customerInfos' value to a JavaScript payload such as a script tag that exfiltrates cookies or issues an authenticated admin request. The payload is stored and later rendered unescaped when a site user or administrator views the affected page, executing in their browser session. …
Remediation No vendor-released patch identified at time of analysis; the input names 10.5.97 as vulnerable but does not confirm a fixed release, so monitor the vendor page (https://www.loopus-plugins.com/plugins/wp-cost-estimation-payments-forms) and the Wordfence advisory (https://www.wordfence.com/threat-intel/vulnerabilities/id/2bf0832c-13ed-4e53-9847-d5d2110eb3f8?source=cve) and upgrade to the first release above 10.5.97 as soon as it is published. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: audit all WordPress instances for WP Cost Estimation & Payment Forms Builder (Loopus) plugin; immediately disable the plugin and quarantine any affected form submission data. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-42579 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy