Unauthenticated Cross-Site Scripting Vulnerability in ARForms by WordPress
CVE-2026-57338

7.1HIGH

Key Information:

Vendor: WordPress
Status: Arforms
Vendor: CVE Published:; 29 June 2026

What is CVE-2026-57338?

The ARForms plugin for WordPress contains a vulnerability that allows unauthenticated users to execute arbitrary JavaScript code via specially crafted input. This reflects the user's input back to the web page without proper sanitization, resulting in a Cross-Site Scripting (XSS) exposure. Attackers exploiting this flaw can manipulate the content within a user's browser session, potentially leading to data theft, session hijacking, or redirection to malicious sites. Users of ARForms should prioritize updating to the latest version to mitigate these security risks.

Affected Version(s)

ARForms <= 7.1.2

References

https://patchstack.com/database/wordpress/plugin/arforms/...

vdb-entry

CVSS V3.1

Score:

7.1

Severity:

HIGH

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 29, 2026
Vulnerability Reserved
Jun 24, 2026

Credit

dutafi | Patchstack Bug Bounty Program

CVE-2026-57338 Data

JSON