Security

Ninja Forms is one of the most widely used WordPress plugins for creating contact forms with over 700,000 active installations. Its user-friendly drag-and-drop interface makes it a favorite among both developers and non-technical users. However, in the process of a routine plugin security audit, we discovered a critical vulnerability that permits Stored Cross-Site Scripting (XSS), allowing a contributor or editor to inject malicious JavaScript and potentially establish a persistent backdoor, leading to complete account takeover.

WordPress plugins play a vital role in extending the platform’s capabilities, yet they are frequently a weak point in site security. One such case is the Kali Forms plugin, a drag-and-drop form builder currently active on over 30,000 installations. A critical vulnerability, now assigned CVE-2025-3201, was discovered in the plugin that permits users with only Contributor-level privileges to inject and store malicious JavaScript. This XSS payload can be used to hijack administrator sessions, ultimately leading to the creation of rogue admin accounts and full site compromise.

Cross-Site Scripting (XSS) remains one of the most prevalent and dangerous vulnerabilities affecting WordPress plugins, especially those that allow user-generated content. In the Easy Contact Form Lite plugin (versions prior to 1.1.29), a stored XSS vulnerability was discovered that allows Contributor-level users to inject persistent JavaScript into the form’s placeholder field. This can lead to session hijacking, site defacement, and privilege escalation attacks if exploited by a malicious user.

The WordPress ecosystem is vast, with thousands of plugins extending its core functionality. However, the flexibility of these plugins can come at the cost of security if developers don’t adhere to strict input sanitization and output escaping practices. One such vulnerability was discovered in the popular Newsletter plugin, which is installed on over 300,000 websites. The issue, now identified as CVE-2025-3583, allows for Stored Cross-Site Scripting (XSS) that can be weaponized into a JavaScript backdoor, enabling attackers to hijack administrator accounts and compromise the entire site.

Stored Cross-Site Scripting (XSS) vulnerabilities continue to pose significant risks to WordPress websites, especially those utilizing Gutenberg-compatible plugins for dynamic content embedding. A critical stored XSS vulnerability (CVE-2025-5194) was recently discovered in the WP Map Block plugin, which has since merged with aBlocks. The flaw allows users with Contributor or higher privileges to inject persistent JavaScript payloads through the map marker content, potentially compromising site integrity and administrative accounts.

In the modern WordPress ecosystem, the principle of least privilege is critical for maintaining site security. It ensures that users can only perform actions strictly necessary for their roles. However, when plugins break this fundamental principle, even seemingly harmless user roles such as “Contributor” can exploit the system and execute powerful administrative actions. This is precisely the case with CVE-2025-3471—a Broken Access Control vulnerability discovered in the SureForms plugin.

SureForms is a powerful and widely adopted WordPress plugin used for creating customizable forms. With over 200,000 active installations, it is trusted by site administrators for building contact, feedback, and survey forms with ease. However, during a recent plugin assessment, a critical vulnerability was uncovered — a Stored Cross-Site Scripting (XSS) flaw — which allows malicious JavaScript injection through form field attributes. This vulnerability can be exploited by an editor to trigger a JavaScript backdoor, potentially leading to full administrative compromise.

SureForms is a widely used WordPress plugin for creating custom forms with a drag-and-drop interface. With over 200,000 active installations, it powers contact forms, feedback tools, and opt-in flows on thousands of websites. During a recent security audit, a critical vulnerability — Stored Cross-Site Scripting (XSS) — was identified. This flaw enables a user with editor-level privileges to inject persistent JavaScript into the form confirmation message. When exploited, this vulnerability can lead to JavaScript backdoor creation and full admin account takeover.

The WP Maps plugin is a popular solution for adding interactive maps to WordPress sites, boasting over 80,000 installations. However, during a security assessment, a severe vulnerability was discovered — a Stored Cross-Site Scripting (XSS) flaw that can be leveraged by an attacker with editor privileges to inject persistent JavaScript code. This code is later executed in the context of an administrator, potentially resulting in full site takeover.