Cross-site Scripting Flaw in Zigaform – Form Builder Lite by Softdiscover
CVE-2025-26989

6.1MEDIUM

Key Information:

Vendor: WordPress
Status: Zigaform – Form Builder Lite
Vendor: CVE Published:; 3 March 2025

Summary

The Zigaform – Form Builder Lite plugin by Softdiscover is susceptible to a Cross-site Scripting (XSS) vulnerability due to improper neutralization of input during web page generation. This vulnerability allows attackers to inject malicious scripts that can be stored and later executed in the browsers of unsuspecting users. Particularly, versions from n/a up to 7.4.2 exhibit this flaw, rendering them vulnerable to data theft, session hijacking, and other web-based attacks. It is imperative for users of this plugin to implement remediation strategies to safeguard against potential exploits.

Affected Version(s)

Zigaform – Form Builder Lite <= 7.4.2

References

https://patchstack.com/database/wordpress/plugin/zigaform...

vdb-entry

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Mar 3, 2025
Vulnerability Reserved
Feb 17, 2025

Credit

Abdi Pranata (Patchstack Alliance)