Ninja Forms is a leading WordPress plugin enabling site owners to build advanced forms without coding, with over 700,000 active installations. Despite its popularity and feature richness, a critical vulnerability—CVE-2025-2560—was discovered, allowing users with Editor-level privileges to inject persistent JavaScript into form configurations. This stored XSS can escalate to a full account takeover backdoor, jeopardizing the security of any site using Ninja Forms.
| CVE | CVE-2025-2560 |
| Ninja Forms < 3.10.1 | |
| Critical | High |
| All Time | 53 415 976 |
| Active installations | 700 000+ |
| Publicly Published | May 30, 2025 |
| Last Updated | May 30, 2025 |
| Researcher | Dmitrii Ignatyev |
| OWASP TOP-10 | A7: Cross-Site Scripting (XSS) |
| PoC | Yes |
| Exploit | No |
| Reference | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-2524 https://wpscan.com/vulnerability/6e89ad2b-f12e-4b49-b34e-8da7d30629cd/ |
| Plugin Security Certification by CleanTalk |  |
| Logo of the plugin |  |
PSC by CleantalkJoin the community of developers who prioritize security. Highlight your plugin in the WordPress catalog.
Timeline
| March 17, 2025 | Plugin testing and vulnerability detection in the Ninja Forms – The Contact Form Builder That Grows With You have been completed |
| March 17, 2025 | I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing |
| May 30, 2025 | Registered CVE-2025-2560 |
Discovery of the Vulnerability
During a comprehensive security review, our team identified that the “Calc Value” field of the Checkbox List block failed to sanitize user input. When rich HTML is allowed in this context, editors can embed JavaScript payloads that persist in the database and execute when the form is previewed or interacted with. This oversight bypasses WordPress’s built-in sanitization, exposing administrators to malicious script execution.
Understanding of XSS attack’s
Cross-Site Scripting (XSS) is one of the most common vulnerabilities in web applications, especially in extensible platforms like WordPress. Stored XSS, in particular, poses a high risk because the injected code remains on the server and affects every user who loads the compromised page. In WordPress, past XSS exploits (e.g., in popular contact form plugins) have been used to hijack admin sessions, create phantom users, or inject phishing forms. CVE-2025-2560 follows this pattern, leveraging trusted form fields to bypass role restrictions.
Exploiting the XSS Vulnerability
To exploit CVE-2025-2560, an attacker with editor+ privileges:
POC:
1) Create a new Blank Form 2) Put here "Paragraph" block and change "Default Value" field to "<img src=x onerror=alert(1)>" switch on "Show Rich Text Editor" 3) To trigger XSS you should preview form (Admins and editors are allowed to use JS in posts/pages/comments/etc, so the unfiltered_html capability should be disallowed when testing for Stored XSS using such roles)____
This vulnerability allows a contributor or editor to pivot into a full administrator takeover. In a real-world breach, an attacker could use the XSS payload to install malware, exfiltrate user data, or reconfigure site settings. E-commerce sites could see customer data theft; membership sites could have credential harvesting. Because Ninja Forms is ubiquitous, the potential for widespread abuse is significant, especially on high-traffic websites where Editors routinely test forms.
Recommendations for Improved Security
Update Ninja Forms immediately to the patched version that addresses CVE-2025-2560.
Sanitize all form field inputs using esc_attr() or wp_kses() to strip unwanted HTML and scripts.
Restrict the unfiltered_html capability to Administrators only, preventing Editors from embedding raw HTML.
Implement a Content Security Policy (CSP) to block inline scripts and mitigate XSS execution.
Use a Web Application Firewall (WAF) to detect and block malicious payloads in form submissions.
To prevent this type of attacks vendor used our methods of prevention.
By taking proactive measures to address Stored XSS vulnerabilities like CVE-2025-2560, WordPress website owners can enhance their security posture and safeguard against potential exploitation. Stay vigilant, stay secure.
#WordPressSecurity #StoredXSS #WebsiteSafety #StayProtected #HighVulnerability
Use CleanTalk solutions to improve the security of your website
Dmitrii I.