High severity7.1NVD Advisory· Published Mar 3, 2025· Updated Apr 23, 2026

CVE-2025-23736

Description

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in webgdawg Form To JSON form-to-json allows Reflected XSS.This issue affects Form To JSON: from n/a through <= 1.0.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Reflected XSS vulnerability in WordPress Form To JSON plugin (<=1.0) allows attackers to inject malicious scripts via crafted requests, requiring user interaction.

Vulnerability

Overview

The Form To JSON WordPress plugin versions up to and including 1.0 suffer from a reflected Cross-Site Scripting (XSS) vulnerability due to improper neutralization of user-supplied input during web page generation [1]. This allows an attacker to inject arbitrary HTML and JavaScript code that is reflected back to the user.

Exploitation

Details

An attacker can exploit this vulnerability by crafting a malicious URL or form submission that includes a payload. Successful exploitation requires user interaction, such as clicking a specially crafted link or visiting a manipulated page [1]. The vulnerability can be triggered without authentication, making it accessible to any visitor.

Impact

If exploited, an attacker can execute malicious scripts in the context of the victim's browser. This can lead to session hijacking, redirection to malicious sites, injection of advertisements, or theft of sensitive information [1].

Mitigation

As of the publication date, no official patch has been released for the plugin. Users are advised to update the plugin as soon as a fix becomes available. In the meantime, Patchstack offers a virtual mitigation rule to block attacks [1]. Given the expected mass exploitation, immediate action is recommended.

References

Cross Site Scripting (XSS) in WordPress Form To JSON Plugin

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

WordPress/Form To Jsoninferred
Range: <=1.0
Package: https://wordpress.org/plugins/form-to-json

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

patchstack.com/database/Wordpress/Plugin/form-to-json/vulnerability/wordpress-form-to-json-plugin-1-0-reflected-cross-site-scripting-xss-vulnerabilitynvd

News mentions

No linked articles in our index yet.

cvss	0.461
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000