Skip to main content

Wp Cost Estimation Payment Forms Builder

2 CVEs product

Monthly

CVE-2026-9253 HIGH This Week

Stored cross-site scripting in the WP Cost Estimation & Payment Forms Builder (E&P Forms) WordPress plugin (Loopus) affects all versions through 10.5.97 and lets unauthenticated attackers persist arbitrary JavaScript via the 'customerInfos' parameter that fires when any user later views the injected page. Reported by Wordfence with a CVSS 3.1 base score of 7.2 (scope-changed), this is a persistent, no-authentication injection primitive rather than a reflected one. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, so exploitation is not confirmed in the wild.

WordPress XSS Wp Cost Estimation Payment Forms Builder
NVD VulDB
CVSS 3.1
7.2
EPSS
0.2%
CVE-2026-24363 HIGH PATCH This Week

A missing authorization vulnerability exists in the loopus WP Cost Estimation & Payment Forms Builder WordPress plugin (versions prior to 10.3.0) that allows attackers to bypass access controls and exploit incorrectly configured security levels. The vulnerability, classified as CWE-862 (Missing Authorization), enables unauthorized users to access or manipulate form data and cost estimation functionality that should be restricted. While no CVSS score or EPSS data is currently available, the authentication bypass nature of this vulnerability and its inclusion in vulnerability databases like ENISA EUVD-2026-15559 suggests moderate-to-high real-world exploitability.

Authentication Bypass Wp Cost Estimation Payment Forms Builder
NVD VulDB
CVSS 3.1
7.5
EPSS
0.0%
EPSS 0% CVSS 7.2
HIGH This Week

Stored cross-site scripting in the WP Cost Estimation & Payment Forms Builder (E&P Forms) WordPress plugin (Loopus) affects all versions through 10.5.97 and lets unauthenticated attackers persist arbitrary JavaScript via the 'customerInfos' parameter that fires when any user later views the injected page. Reported by Wordfence with a CVSS 3.1 base score of 7.2 (scope-changed), this is a persistent, no-authentication injection primitive rather than a reflected one. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, so exploitation is not confirmed in the wild.

WordPress XSS Wp Cost Estimation Payment Forms Builder
NVD VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

A missing authorization vulnerability exists in the loopus WP Cost Estimation & Payment Forms Builder WordPress plugin (versions prior to 10.3.0) that allows attackers to bypass access controls and exploit incorrectly configured security levels. The vulnerability, classified as CWE-862 (Missing Authorization), enables unauthorized users to access or manipulate form data and cost estimation functionality that should be restricted. While no CVSS score or EPSS data is currently available, the authentication bypass nature of this vulnerability and its inclusion in vulnerability databases like ENISA EUVD-2026-15559 suggests moderate-to-high real-world exploitability.

Authentication Bypass Wp Cost Estimation Payment Forms Builder
NVD VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy