Sure Forms is a popular WordPress plugin with over 200,000 active installations, enabling site owners to create custom contact forms, surveys, and interactive interfaces. While robust in features and ease of use, a critical vulnerability—CVE-2025-5921—has been discovered that permits unauthenticated visitors to execute Cross‑Site Scripting (XSS). By crafting a special URL parameter, attackers can embed JavaScript into a public form field, triggering scripts in an administrator’s browser and forging a path to a persistent backdoor or account takeover.
| CVE | CVE-2025-5921 |
| Plugin Version | SureForms < 1.7.2 |
| Critical | High |
| All Time | 961 213 |
| Active installations | 200 000+ |
| Publicly Published | May 30, 2025 |
| Last Updated | May 30, 2025 |
| Researcher | Dmitrii Ignatyev |
| OWASP TOP-10 | A7: Cross-Site Scripting (XSS) |
| PoC | Yes |
| Exploit | No |
| Reference | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-5921 https://wpscan.com/vulnerability/052fb6cf-274e-468b-a7e0-0e7a1751ec75/ |
| Plugin Security Certification by CleanTalk |  |
| Logo of the plugin |  |
PSC by CleantalkJoin the community of developers who prioritize security. Highlight your plugin in the WordPress catalog.
Timeline
| June 9, 2025 | Plugin testing and vulnerability detection in the SureForms – Drag and Drop Form Builder for WordPress have been completed |
| June 9, 2025 | I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing |
| July 15, 2025 | Registered CVE-2025-5921 |
Discovery of the Vulnerability
This vulnerability was identified during a black‑box security assessment of the Sure Forms public submission interface. Researchers noticed that the Text block’s “Default Value” setting supports dynamic placeholders via {get_input:param}but fails to sanitize URL parameters. When loaded, the unsanitized parameter is injected directly into the form’s HTML attribute, enabling an XSS payload that fires upon hover or interaction.
Understanding of XSS attack’s
Cross‑Site Scripting (XSS) allows attackers to inject malicious scripts into pages viewed by other users. Reflected XSSuses parameters in the URL, while Stored XSS persists data in the database. Here, CVE‑2025‑5921 is a hybrid: the payload is reflected but originates from a public form field, requiring no authentication. Similar vulnerabilities in WordPress plugins—like the infamous Contact Form 7 XSS flaws—have historically led to admin session hijacking, stealthy backdoor installation, and phishing campaigns against privileged users.
Exploiting the XSS Vulnerability
To exploit CVE-2025-5921, an attacker without any Cookie:
POC:
1) Create a new Blank Form 2) Put here Text block 3) Change "Default Value" field to {get_input:param} 3) To trigger XSS you should go to this form with following GET param: http://127.0.0.1/someform/?param=123" onmouseover=alert(1)// and hover on Text Field____
Because this vulnerability requires no authentication, any visitor can trigger it. In a real-world scenario, an attacker could send a phishing link to an administrator, who might then inadvertently activate the payload by viewing the form. With elevated privileges, the payload could create arbitrary admin accounts, change site settings, or install malicious plugins. High‑traffic or corporate sites using Sure Forms for customer outreach would be particularly vulnerable to data theft, unauthorized access, and reputational damage.
Recommendations for Improved Security
Sanitize URL Parameters: Plugin developers must apply robust sanitization (e.g., esc_attr(), wp_kses()) to all dynamic placeholders before rendering them in HTML attributes.
Validate User Input: Disable or strictly validate {get_input} placeholders in unauthenticated contexts to disallow script injection.
Implement CSP: Enforce a Content Security Policy to block onmouseover and other inline event handlers.
Monitor Logs: Site administrators should monitor access logs for suspicious query parameters and hover-based XSS indicators.
Update Immediately: Users should upgrade to the patched version of Sure Forms as soon as it is released and audit their forms for vulnerable placeholders.
To prevent this type of attacks vendor used our methods of prevention.
By taking proactive measures to address Stored XSS vulnerabilities like CVE-2025-5921, WordPress website owners can enhance their security posture and safeguard against potential exploitation. Stay vigilant, stay secure.
#WordPressSecurity #StoredXSS #WebsiteSafety #StayProtected #HighVulnerability
Use CleanTalk solutions to improve the security of your website
Dmitrii I.