SureForms is a widely used WordPress plugin for creating custom forms with a drag-and-drop interface. With over 200,000 active installations, it powers contact forms, feedback tools, and opt-in flows on thousands of websites. During a recent security audit, a critical vulnerability — Stored Cross-Site Scripting (XSS) — was identified. This flaw enables a user with editor-level privileges to inject persistent JavaScript into the form confirmation message. When exploited, this vulnerability can lead to JavaScript backdoor creation and full admin account takeover.

CVECVE-2025-3513
SureForms < 1.4.4
CriticalHigh
All Time742 732
Active installations200 000+
Publicly PublishedMay 30, 2025
Last UpdatedMay 30, 2025
ResearcherDmitrii Ignatyev
OWASP TOP-10A7: Cross-Site Scripting (XSS)
PoCYes
ExploitNo
Reference https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-3513
https://wpscan.com/vulnerability/dd7e0bb3-4a98-4f62-bd2e-f30b27d71226/
Plugin Security Certification by CleanTalk
Logo of the plugin

Join the community of developers who prioritize security. Highlight your plugin in the WordPress catalog.

PSC by Cleantalk

Timeline

May 19, 2025Plugin testing and vulnerability detection in the SureForms – Drag and Drop Form Builder for WordPress have been completed
May 19, 2025I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing
May 30, 2025Registered CVE-2025-3513

Discovery of the Vulnerability

The vulnerability was discovered in the “Form Confirmation” settings of SureForms. Specifically, the “Confirmation Message” field failed to properly sanitize user input before rendering it to users after form submission. This oversight allows attackers to inject arbitrary HTML or JavaScript, which executes in the browser of any user who submits the form — including administrators.

Understanding of XSS attack’s

Cross-Site Scripting (XSS) occurs when input from one user is included in the output sent to another user without proper sanitization. In WordPress, plugins often mistakenly trust users with elevated roles (e.g., editors) to input raw HTML, even when it gets displayed in unexpected ways. A real-world example involves a malicious editor embedding <img src=x onerror=alert(1)> or <script> tags into form confirmations, post titles, or shortcode attributes. Once an administrator views or interacts with the content, the injected JavaScript executes in their session.

Such vulnerabilities are commonly exploited to hijack administrator sessions, create new admin accounts, inject SEO spam, or load remote malware-laden JavaScript files. In plugins like SureForms, which output user-defined content to the frontend and process it dynamically, the risk is multiplied if HTML is not escaped.

Exploiting the XSS Vulnerability

To exploit CVE-2025-3513, an attacker with editor+ privileges:

POC:

1) Create a new Blank Form
2) Put here Email block
3) Go to "Form Confirmation" settings and replace "Confirmation Message" to <img src=x onerror=alert(1)> and save it 
3) To trigger XSS you should go to this form and try to submit smth.

____

The impact of this vulnerability is significant. If exploited, it enables backdoor creation through JavaScript injection, ultimately resulting in total site compromise. For instance, an attacker posing as a trusted editor could insert JavaScript into a form’s confirmation field. When an administrator tests or submits the form, the payload executes silently, possibly adding a rogue admin user or redirecting to a phishing page.

In real-world attacks, such backdoors can be used to deploy malware, steal customer data, or deface public-facing websites. On high-traffic or eCommerce sites, the potential damage includes legal liability, data breach disclosures, and SEO penalties.

Recommendations for Improved Security

To mitigate this vulnerability and similar issues:

  • SureForms developers must enforce strict output escaping using wp_kses_post() or similar sanitization functions for all user-submitted content rendered on the frontend.
  • Site administrators should restrict the unfiltered_html capability to trusted users only, especially on multi-author platforms.
  • WordPress security plugins should include real-time XSS filtering and WAF capabilities to neutralize such payloads.
  • Perform regular plugin audits and vulnerability scans using tools like WPScan or commercial SAST scanners.
  • Always keep plugins and themes up to date and remove unused ones to minimize attack surface.

To prevent this type of attacks vendor used our methods of prevention.

By taking proactive measures to address Stored XSS vulnerabilities like CVE-2025-3513, WordPress website owners can enhance their security posture and safeguard against potential exploitation. Stay vigilant, stay secure.

#WordPressSecurity #StoredXSS #WebsiteSafety #StayProtected #HighVulnerability

Use CleanTalk solutions to improve the security of your website

Dmitrii I.
CVE-2025-3513 – SureForms – Stored XSS to JS Backdoor Creation – POC

Leave a Reply

Your email address will not be published. Required fields are marked *