Stored Cross-Site Scripting Vulnerability in WP Cost Estimation & Payment Forms Builder by WordPress
CVE-2026-9253

7.2HIGH

What is CVE-2026-9253?

The WP Cost Estimation & Payment Forms Builder plugin for WordPress is vulnerable to stored cross-site scripting due to insufficient input sanitization and output escaping in the 'customerInfos' parameter. This flaw permits unauthenticated attackers to inject arbitrary scripts into web pages. When these pages are accessed by users, the injected scripts are executed, potentially compromising user data and site integrity.

Affected Version(s)

WP Cost Estimation & Payment Forms Builder 0 <= 10.5.97

WP Cost Estimation & Payment Forms Builder 0 <= 10.5.97

References

CVSS V3.1

Score:
7.2
Severity:
HIGH
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Luc Huynh from Noventiq RedTeam
.