Plugin Exploit

XSS Vulnerability found in WPForms Plugin < 1.5.9 - Update immediately

Updated on: March 29, 2020

XSS Vulnerability found in WPForms Plugin < 1.5.9 - Update immediately

WPForms Plugin version and below were found to be vulnerable to authenticated stored XSS while I was auditing the plugin. WPForms version 1.5.9 with improved data sanitization was released on March 5, 2020.

CVE ID: CVE-2020-10385


WPForms is a popular WordPress forms plugin with over 3 million active installations. It was found to be vulnerable to authenticated Cross-Site Scripting (XSS) vulnerability. XSS is a type of vulnerability that can be exploited by attackers to perform various malicious actions such as stealing the victim’s session cookies or login credentials, performing arbitrary actions on the victim’s behalf, logging their keystrokes and more.


The Form Description and Field Description fields in the WPForms plugin’s Form Builder module was found to be vulnerable to stored XSS, as they did not sanitize user given input properly.

While they do not pose high security threat being an authenticated XSS vulnerability, we were able to confirm that these can be potentially exploited by an attacker to perform malicious actions on a WordPress multisite installation to have a super admin’s cookies sent to the attacker or redirect the super admin to another domain, for example, a phishing page designed to show that they have been logged out and would need to log back in, thus compromising their credentials.

We were further able to find that the form builder’s “preview” function was also vulnerable to reflected XSS.


Vulnerability reported to the WPForms team on February 18, 2020.
WPForms version 1.5.9 containing the fix to the vulnerability was released on March 5, 2020.


It is highly recommended to update the plugin to the latest version. For best security practices, you can follow the below guides:


Tags: , , , , , ,

Jinson Varghese

Jinson Varghese Behanan is an Information Security Analyst at Astra. Passionate about Cybersecurity from a young age, Jinson completed his Bachelor's degree in Computer Security from Northumbria University. When he isn’t glued to a computer screen, he spends his time reading InfoSec materials, playing basketball, learning French and traveling. You can follow him on Medium or visit his Website for more stories about the various Security Audits he does and the crazy vulnerabilities he finds.
Notify of

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Inline Feedbacks
View all comments

Psst! Hi there. We’re Astra.

We make security simple and hassle-free for thousands
of websites and businesses worldwide.

Our suite of security products include a vulnerability scanner, firewall, malware scanner and pentests to protect your site from the evil forces on the internet, even when you sleep.

earth spiders cards bugs spiders

Made with ❤️ in USA France India Germany