Stored Cross-Site Scripting Vulnerability in WP Cost Estimation & Payment Forms Builder by WordPress
CVE-2026-9253
7.2HIGH
Key Information:
- Vendor
WordPress
- Vendor
- CVE Published:
- 9 July 2026
What is CVE-2026-9253?
The WP Cost Estimation & Payment Forms Builder plugin for WordPress is vulnerable to stored cross-site scripting due to insufficient input sanitization and output escaping in the 'customerInfos' parameter. This flaw permits unauthenticated attackers to inject arbitrary scripts into web pages. When these pages are accessed by users, the injected scripts are executed, potentially compromising user data and site integrity.
Affected Version(s)
WP Cost Estimation & Payment Forms Builder 0 <= 10.5.97
WP Cost Estimation & Payment Forms Builder 0 <= 10.5.97