VYPR
← All advisories
Medium severity4.4NVD Advisory· Published May 24, 2025· Updated Apr 15, 2026

CVE-2025-5055

CVE-2025-5055

Description

The Smart Forms – when you need more than just a contact form plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 2.6.98 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Smart Forms WordPress plugin <=2.6.98 has stored XSS via admin settings, allowing authenticated admins on multi-site with unfiltered_html disabled to inject scripts.

Vulnerability

The Smart Forms plugin for WordPress (versions up to 2.6.98) contains a Stored Cross-Site Scripting (XSS) vulnerability in its admin settings. The issue stems from insufficient input sanitization and output escaping, allowing arbitrary JavaScript to be stored and executed.

Exploitation

Exploitation requires administrator-level access on a WordPress multi-site installation where the unfiltered_html capability has been disabled. The attacker injects malicious scripts through admin settings, which are then stored and executed when any user views the affected page. [1]

Impact

Successful exploitation enables an attacker to execute arbitrary web scripts in the context of a victim's browser. This can lead to data theft, session hijacking, or defacement of the site.

Mitigation

As of the publication date, no patch has been confirmed. Users are advised to restrict admin access, disable unfiltered_html on multi-site installations, or consider alternative plugins if the risk is unacceptable.

References
  1. Smart Forms – when you need more than just a contact form

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

3

News mentions

0

No linked articles in our index yet.