Stored Cross-Site Scripting Vulnerability in Smart Forms Plugin for WordPress
CVE-2025-5055

4.4MEDIUM

Key Information:

Vendor: WordPress
Status: Smart Forms – When You Need More Than Just A Contact Form
Vendor: CVE Published:; 24 May 2025

What is CVE-2025-5055?

The Smart Forms plugin for WordPress is susceptible to Stored Cross-Site Scripting due to inadequate input validation and output sanitization in its admin settings. This flaw affects versions up to and including 2.6.98, enabling authenticated attackers with administrator access to insert malicious web scripts into pages. These injected scripts execute automatically when the affected pages are accessed, posing a significant risk to multi-site installations or setups where the 'unfiltered_html' capability is disabled.

Affected Version(s)

Smart Forms – when you need more than just a contact form * <= 2.6.98

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://wordpress.org/plugins/smart-forms/

CVSS V3.1

Score:

4.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

High

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 24, 2025
Vulnerability Reserved
May 21, 2025

Credit

Joel Indra