What the vulnerability does
01Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in captainform Forms by CaptainForm – Form Builder for WordPress allows Reflected XSS.This issue affects Forms by CaptainForm – Form Builder for WordPress: from n/a through 2.5.3.
Explanation of Vulnerability in Simple Terms
02Summary
Forms by CaptainForm contains a stored cross-site scripting (XSS) vulnerability in versions up to 2.5.3. An attacker can inject malicious scripts into form fields that execute when site visitors or administrators view the form or its submissions. The vulnerability requires user interaction to trigger and can affect multiple users across the site.
What an attacker can do
03Attacker Capabilities
Inject malicious scripts that run in visitors' browsers when they view forms or submissions.
Potential impact on your site
04Site Impact
Visitors and admins viewing forms could have their sessions hijacked, credentials stolen, or be redirected to malicious sites.
Conditions required to exploit
05Prerequisites
Attacker must have the ability to create or edit forms in the plugin; victim must view the affected form or submission.
Key dates
06Disclosure timeline
December 15, 2023
CVE published
April 28, 2026
Record updated