CVE-2025-22295

The Tripetto WordPress form builder plugin (versions up to 8.0.6) contains a stored cross-site scripting (XSS) vulnerability due to improper neutralization of user input during web page generation. This allows an attacker to inject arbitrary HTML and JavaScript into the plugin's forms, which will be stored and executed when other users visit the affected pages [1].

Exploitation requires a privileged user, such as an administrator, to perform an action like clicking a malicious link or submitting a crafted form. The vulnerability can be triggered without direct user interaction from the victim, but the initial injection step requires a privileged user to be tricked into performing an action [1].

Successful exploitation enables an attacker to inject malicious scripts, including redirects, advertisements, and other HTML payloads. These scripts execute in the context of the victim's browser when they view the compromised form, potentially leading to session hijacking, defacement, or further compromise of the WordPress site [1].

The vulnerability has been addressed in version 8.0.7 of the plugin. Users are strongly advised to update immediately. Patchstack users can enable auto-updates for vulnerable plugins. As this vulnerability is known to be used in mass-exploit campaigns, prompt patching is critical [1].