SureForms is a widely used WordPress plugin for creating custom forms with a drag-and-drop interface. With over 200,000 active installations, it powers contact forms, feedback tools, and opt-in flows on thousands of websites. During a recent security audit, a critical vulnerability — Stored Cross-Site Scripting (XSS) — was identified. This flaw enables a user with editor-level privileges to inject persistent JavaScript into the form confirmation message. When exploited, this vulnerability can lead to JavaScript backdoor creation and full admin account takeover.
| CVE | CVE-2025-3513 |
| SureForms < 1.4.4 | |
| Critical | High |
| All Time | 742 732 |
| Active installations | 200 000+ |
| Publicly Published | May 30, 2025 |
| Last Updated | May 30, 2025 |
| Researcher | Dmitrii Ignatyev |
| OWASP TOP-10 | A7: Cross-Site Scripting (XSS) |
| PoC | Yes |
| Exploit | No |
| Reference | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-3513 https://wpscan.com/vulnerability/dd7e0bb3-4a98-4f62-bd2e-f30b27d71226/ |
| Plugin Security Certification by CleanTalk |  |
| Logo of the plugin |  |
PSC by CleantalkJoin the community of developers who prioritize security. Highlight your plugin in the WordPress catalog.
Timeline
| May 19, 2025 | Plugin testing and vulnerability detection in the SureForms – Drag and Drop Form Builder for WordPress have been completed |
| May 19, 2025 | I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing |
| May 30, 2025 | Registered CVE-2025-3513 |
Discovery of the Vulnerability
The vulnerability was discovered in the “Form Confirmation” settings of SureForms. Specifically, the “Confirmation Message” field failed to properly sanitize user input before rendering it to users after form submission. This oversight allows attackers to inject arbitrary HTML or JavaScript, which executes in the browser of any user who submits the form — including administrators.
Understanding of XSS attack’s
Cross-Site Scripting (XSS) occurs when input from one user is included in the output sent to another user without proper sanitization. In WordPress, plugins often mistakenly trust users with elevated roles (e.g., editors) to input raw HTML, even when it gets displayed in unexpected ways. A real-world example involves a malicious editor embedding <img src=x onerror=alert(1)> or <script> tags into form confirmations, post titles, or shortcode attributes. Once an administrator views or interacts with the content, the injected JavaScript executes in their session.
Such vulnerabilities are commonly exploited to hijack administrator sessions, create new admin accounts, inject SEO spam, or load remote malware-laden JavaScript files. In plugins like SureForms, which output user-defined content to the frontend and process it dynamically, the risk is multiplied if HTML is not escaped.
Exploiting the XSS Vulnerability
To exploit CVE-2025-3513, an attacker with editor+ privileges:
POC:
1) Create a new Blank Form 2) Put here Email block 3) Go to "Form Confirmation" settings and replace "Confirmation Message" to <img src=x onerror=alert(1)> and save it 3) To trigger XSS you should go to this form and try to submit smth.____
The impact of this vulnerability is significant. If exploited, it enables backdoor creation through JavaScript injection, ultimately resulting in total site compromise. For instance, an attacker posing as a trusted editor could insert JavaScript into a form’s confirmation field. When an administrator tests or submits the form, the payload executes silently, possibly adding a rogue admin user or redirecting to a phishing page.
In real-world attacks, such backdoors can be used to deploy malware, steal customer data, or deface public-facing websites. On high-traffic or eCommerce sites, the potential damage includes legal liability, data breach disclosures, and SEO penalties.
Recommendations for Improved Security
To mitigate this vulnerability and similar issues:
- SureForms developers must enforce strict output escaping using
wp_kses_post()or similar sanitization functions for all user-submitted content rendered on the frontend. - Site administrators should restrict the
unfiltered_htmlcapability to trusted users only, especially on multi-author platforms. - WordPress security plugins should include real-time XSS filtering and WAF capabilities to neutralize such payloads.
- Perform regular plugin audits and vulnerability scans using tools like WPScan or commercial SAST scanners.
- Always keep plugins and themes up to date and remove unused ones to minimize attack surface.
To prevent this type of attacks vendor used our methods of prevention.
By taking proactive measures to address Stored XSS vulnerabilities like CVE-2025-3513, WordPress website owners can enhance their security posture and safeguard against potential exploitation. Stay vigilant, stay secure.
#WordPressSecurity #StoredXSS #WebsiteSafety #StayProtected #HighVulnerability
Use CleanTalk solutions to improve the security of your website
Dmitrii I.