SureForms < 1.7.2 – Reflected XSS | CVE 2025-5921 | Plugin Vulnerabilities

Description

The plugin does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against both authenticated and unauthenticated users.

Proof of Concept

1) Create a new blank form
2) Add a text block
3) Change "Default Value" field to {get_input:param}
3) To trigger XSS you should go to this form with following GET param: `http://example.com/someform/?param=123" onmouseover=alert(1)//`. Hover over the text field and see the XSS

Affects Plugins

Fixed in 1.7.2

References

CVE

URL

https://research.cleantalk.org/cve-2025-5921/

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Dmitrii Ignatyev

Submitter

Dmitrii Ignatyev

Submitter website

https://www.linkedin.com/in/dmitriy-ignatyev-8a9189267/

Verified

Yes

WPVDB ID

052fb6cf-274e-468b-a7e0-0e7a1751ec75

Timeline

Publicly Published

2025-07-11 (about 5 months ago)

Added

2025-07-11 (about 5 months ago)

Last Updated

2025-07-11 (about 5 months ago)

Other

Published

Title

Published

2024-02-20

Title

Tabs Shortcode and Widget <= 1.17 - Contributor+ Stored Cross-Site Scripting

Published

2022-04-28

Title

Countdown & Clock < 2.3.3 - Reflected Cross-Site Scripting

Published

2015-01-28

Title

Photo Gallery < 1.2.11 - Multiple Authenticated Reflected XSS

Published

2025-07-14

Title

Smart Flexslider <= 2.5 - Reflected Cross-Site Scripting

Published

2025-04-11

Title

Wireless Butler <= 1.0.11 - Reflected Cross-Site Scripting