CVE-2025-59549

Vulnerability

Overview

The GetResponse Forms plugin for WordPress (version 2.6.0 and earlier) contains a stored cross-site scripting (XSS) vulnerability due to improper neutralization of user-supplied input during web page generation [1]. This flaw allows an authenticated attacker with the required privileges (such as Editor or Administrator) to inject arbitrary JavaScript or HTML into the plugin's forms, which is then stored and executed when other users or site visitors access the affected pages [1].

Exploitation

Requirements

Exploitation requires that the attacker has a role with sufficient privileges to modify plugin settings or form content. While user interaction from a privileged user is needed to trigger the payload (e.g., clicking a link or visiting a crafted page), the injected script executes automatically for any visitor loading the compromised page [1]. Attackers commonly use such vulnerabilities in mass-exploit campaigns targeting thousands of WordPress sites [1].

Impact

Successful exploitation allows an attacker to inject malicious scripts that can perform actions such as redirecting visitors to external sites, displaying unwanted advertisements, or stealing session cookies [1]. The impact is considered medium severity (CVSS v3: 6.5) and the vulnerability is moderate risk, though automated scanning may lead to widespread exploitation [1].

Mitigation

The vulnerability has been fixed in version 2.6.1 of the GetResponse Forms plugin [1]. Users are advised to update immediately or, if unable, contact their hosting provider for assistance. Patchstack users can enable auto-updates for vulnerable plugins [1].