Skip to main content

CRM Perks Forms EUVDEUVD-2026-43348

| CVE-2026-57421 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-07-13 Patchstack
7.1
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
vuln.today AI
7.1 HIGH

Reflected XSS is remote and unauthenticated (AV:N/PR:N) but needs the victim to click (UI:R); injected script escapes into the site origin (S:C) with limited C/I/A impact.

3.1 AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
4.0 AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

2
Analysis Generated
Jul 13, 2026 - 10:55 vuln.today
CVE Published
Jul 13, 2026 - 08:41 cve.org
HIGH 7.1

DescriptionCVE.org

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CRM Perks CRM Perks Forms crm-perks-forms allows Reflected XSS.This issue affects CRM Perks Forms: from n/a through <= 1.1.7.

AnalysisAI

Reflected cross-site scripting in the CRM Perks Forms WordPress plugin (all versions up to and including 1.1.7) lets an unauthenticated attacker inject script that executes in a victim's browser when they open a crafted link. Patchstack catalogued the issue at CVSS 3.1 7.1, and the scope-changed vector reflects that injected script runs in the WordPress site's origin rather than a sandbox. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Craft malicious URL with XSS payload
Delivery
Phish victim to click link
Exploit
Payload reflected in plugin response
Execution
Script executes in site origin
Impact
Steal session or act as victim

Vulnerability AssessmentAI

Exploitation Exploitation requires the target site to run CRM Perks Forms version 1.1.7 or earlier and requires user interaction: the victim must open an attacker-crafted URL containing the reflected XSS payload (CVSS UI:R). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L, 7.1 High) describes a remote, low-complexity, unauthenticated attack whose main gating factor is required user interaction (UI:R) - the victim must open a malicious link. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker crafts a URL to a vulnerable CRM Perks Forms endpoint with a JavaScript payload in a reflected parameter and delivers it via phishing email, comment, or ad. When a logged-in administrator or visitor clicks the link, the script executes in the site's origin, letting the attacker steal session cookies, perform actions as the victim, or pivot to admin functions. …
Remediation Update the CRM Perks Forms plugin to the first release above 1.1.7 published by the vendor; the provided data confirms the vulnerable range (through <= 1.1.7) but does not name an exact fixed version, so treat the fix as 'upgrade to the latest available release' and verify against the vendor changelog before deploying - released patched version not independently confirmed from the provided data. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: disable and deactivate the CRM Perks Forms plugin on all WordPress sites, then conduct an immediate inventory of deployments running version 1.1.7 or earlier to assess exposure scope. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-43348 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy