SureForms < 1.9.1 – Admin+ Stored XSS | CVE 2025-8282 | Plugin Vulnerabilities

Description

The plugin does not sanitise and escape some parameters when outputing them in the page, which could allow admin and above users to perform Cross-Site Scripting attacks.

Proof of Concept

1) Create a new Form
2) Add here Text block
3) Toggle on "Use Labels as Placeholders" settings
4) Change "Text Field text" to 123" onmouseover=alert(1)//
5) Preview Form and hover on Text block

Affects Plugins

Fixed in 1.9.1

References

CVE

URL

https://research.cleantalk.org/cve-2025-8282

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Dmitrii Ignatyev

Submitter

Dmitrii Ignatyev

Submitter website

https://www.linkedin.com/in/dmitriy-ignatyev-8a9189267/

Verified

Yes

WPVDB ID

62680106-1313-4ef0-80a5-33e93b4221a1

Timeline

Publicly Published

2025-09-02 (about 4 months ago)

Added

2025-09-02 (about 4 months ago)

Last Updated

2025-09-02 (about 4 months ago)

Other

Published

Title

Published

2023-11-28

Title

affiliate-toolkit – WordPress Affiliate Plugin < 3.4.4 - Reflected Cross-Site Scripting via keyword

Published

2025-11-21

Title

Cookie Notice & Compliance for GDPR / CCPA < 2.5.9 - Contributor+ Stored XSS

Published

2025-05-02

Title

Section Widget <= 3.3.1 - Reflected Cross-Site Scripting

Published

2025-04-25

Title

Simple Lightbox < 2.9.4 - Contributor+ Stored XSS

Published

2025-01-17

Title

Jet Engine < 3.6.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via list_tag Parameter