CVE-2025-52733

Vulnerability

Overview

CVE-2025-52733 is a DOM-based Cross-Site Scripting (XSS) vulnerability in the ANON::form embedded secure form WordPress plugin, affecting versions up to and including 1.7. The root cause is improper neutralization of user input during web page generation, allowing an attacker to inject arbitrary JavaScript into the DOM of a victim's browser [1].

Exploitation

Prerequisites

Exploitation requires user interaction, such as clicking a malicious link or visiting a crafted page. While the vulnerability can be initiated by an unauthenticated attacker, successful execution depends on a privileged user (e.g., an administrator) performing that action. This makes the attack surface limited to scenarios where an attacker can trick a site administrator into interacting with a malicious payload [1].

Impact

If exploited, an attacker can inject malicious scripts, including redirects, advertisements, and other HTML payloads, into the affected website. These scripts execute when other visitors access the site, potentially leading to data theft, defacement, or further compromise [1].

Mitigation

The vulnerability is patched in version 1.8 of the plugin. Users are strongly advised to update immediately. Patchstack users can enable auto-updates for vulnerable plugins to ensure timely protection [1].