CVE-2025-58665

The Form Generator for WordPress plugin (form-generator-powered-by-jotform) contains a stored cross-site scripting (XSS) vulnerability due to improper neutralization of user input during web page generation [1]. This affects all versions up to and including 1.5.2. The vulnerability arises from insufficient sanitization of input fields in generated forms, allowing an attacker with contributor-level privileges or higher to inject arbitrary JavaScript or HTML payloads.

Exploitation requires an authenticated user who can create or edit forms. The attacker injects malicious script code into a form field, which is then stored on the server and executed when any visitor accesses the page containing the form [1]. No user interaction is required for the stored payload to execute in the victim's browser; however, the initial injection requires a privileged role such as editor or administrator.

Successful exploitation can lead to session hijacking, redirection to malicious sites, defacement, or theft of sensitive information like cookies or login credentials [1]. The vulnerability could be chained in mass exploitation campaigns targeting thousands of WordPress sites simultaneously.

The vendor has not released a patched version as of the advisory date. Immediate mitigation steps include updating the plugin to a version higher than 1.5.2 if available, or removing the plugin entirely until a fix is issued [1]. Site administrators are advised to restrict plugin editing capabilities to trusted users and implement web application firewall rules to block XSS payloads.