CVE-2025-8282
BaseFortify
Publication date: 2025-09-23
Last updated on: 2025-11-13
Assigner: WPScan
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| sureforms | sureforms | 1.9.1 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-UNKNOWN |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-8282 is a stored Cross-Site Scripting (XSS) vulnerability in the SureForms WordPress plugin versions before 1.9.1. It occurs because the plugin does not properly sanitize and escape certain parameters when displaying them on a page. This allows users with admin or higher privileges to inject malicious scripts that execute when other users view the affected page. [1]
How can this vulnerability impact me? :
This vulnerability can allow an attacker with admin or higher privileges to inject malicious JavaScript code into pages rendered by the SureForms plugin. This can lead to unauthorized actions such as stealing session cookies, performing actions on behalf of other users, or defacing the website. Although the CVSS score is low (3.5), the impact depends on the context and the privileges of the attacker. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by verifying if the SureForms WordPress plugin version is prior to 1.9.1 and by testing for stored Cross-Site Scripting (XSS) in form fields accessible to admin users. A practical detection method involves creating a form in SureForms, adding a Text block, enabling the "Use Labels as Placeholders" setting, and modifying the "Text Field text" parameter to include a test payload such as `123" onmouseover=alert(1)//`. Previewing the form and hovering over the Text block should trigger the injected JavaScript alert if vulnerable. There are no specific network commands provided, but checking the plugin version and performing this form test is recommended. [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to update the SureForms WordPress plugin to version 1.9.1 or later, where the vulnerability has been fixed. Additionally, restrict admin and higher privileges to trusted users only, as the vulnerability requires such privileges to be exploited. [1]