{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/stored-xss/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":7.2,"id":"CVE-2026-5063"}],"_cs_exploited":false,"_cs_products":["NEX-Forms – Ultimate Forms Plugin for WordPress plugin \u003c= 9.1.11"],"_cs_severities":["medium"],"_cs_tags":["wordpress","xss","stored-xss","cve-2026-5063"],"_cs_type":"advisory","_cs_vendors":["WordPress"],"content_html":"\u003cp\u003eThe NEX-Forms – Ultimate Forms Plugin for WordPress, versions up to and including 9.1.11, is susceptible to a stored Cross-Site Scripting (XSS) vulnerability (CVE-2026-5063). This flaw stems from inadequate input sanitization and output escaping within the \u003ccode\u003esubmit_nex_form()\u003c/code\u003e function. Unauthenticated attackers can exploit this vulnerability by injecting malicious JavaScript code through POST parameter key names. Successful exploitation allows the attacker to execute arbitrary scripts in the context of a user\u0026rsquo;s browser when they access a page containing the injected script, potentially leading to session hijacking, defacement, or redirection to malicious sites. The vulnerability was reported to Wordfence and a patch has been released.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP POST request to a WordPress page that utilizes the vulnerable NEX-Forms plugin.\u003c/li\u003e\n\u003cli\u003eThe POST request includes specially crafted parameter key names designed to inject JavaScript code.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003esubmit_nex_form()\u003c/code\u003e function processes the POST request without properly sanitizing or escaping the malicious input.\u003c/li\u003e\n\u003cli\u003eThe injected JavaScript code is stored in the WordPress database.\u003c/li\u003e\n\u003cli\u003eA legitimate user accesses a page where the form data, including the malicious script, is displayed.\u003c/li\u003e\n\u003cli\u003eThe stored JavaScript code executes within the user\u0026rsquo;s browser in the context of the WordPress page.\u003c/li\u003e\n\u003cli\u003eThe attacker can then perform actions such as stealing cookies, redirecting the user, or modifying the page content.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this stored XSS vulnerability allows an unauthenticated attacker to inject arbitrary JavaScript code into pages using the NEX-Forms plugin. This can lead to various malicious outcomes, including user session hijacking, website defacement, or redirection to phishing sites. As the vulnerability is stored, every user who visits a page containing the malicious script will be affected until the vulnerability is patched and the malicious input is removed. The severity is rated as HIGH with a CVSS base score of 7.2.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the NEX-Forms – Ultimate Forms Plugin for WordPress to a version beyond 9.1.11 to patch CVE-2026-5063.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Suspicious NEX-Forms POST Requests\u003c/code\u003e to identify potential exploitation attempts.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious POST requests containing potentially malicious JavaScript code in parameter names.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-03T06:15:57Z","date_published":"2026-05-03T06:15:57Z","id":"/briefs/2026-05-wordpress-nex-forms-xss/","summary":"The NEX-Forms WordPress plugin is vulnerable to stored XSS via POST parameter key names, allowing unauthenticated attackers to inject arbitrary web scripts.","title":"NEX-Forms WordPress Plugin Vulnerable to Stored Cross-Site Scripting (CVE-2026-5063)","url":"https://feed.craftedsignal.io/briefs/2026-05-wordpress-nex-forms-xss/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.2,"id":"CVE-2026-5113"}],"_cs_exploited":false,"_cs_products":["Gravity Forms plugin \u003c= 2.10.0"],"_cs_severities":["medium"],"_cs_tags":["xss","wordpress","gravityforms","cve-2026-5113","stored-xss"],"_cs_type":"advisory","_cs_vendors":["WordPress"],"content_html":"\u003cp\u003eThe Gravity Forms plugin for WordPress, a popular form builder, contains a stored cross-site scripting (XSS) vulnerability identified as CVE-2026-5113. This flaw affects versions up to and including 2.10.0. The vulnerability stems from a flawed state validation mechanism combined with insufficient output escaping within the Consent field\u0026rsquo;s hidden inputs. An unauthenticated attacker can exploit this by injecting malicious JavaScript code into form entries. This malicious code is then executed when an authenticated administrator accesses the Entries List page within the WordPress administration panel, potentially leading to account compromise or other malicious actions performed within the administrator\u0026rsquo;s session. Successful exploitation allows attackers to execute arbitrary web scripts in the context of an administrator\u0026rsquo;s browser.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker crafts a malicious payload containing XSS code within a Gravity Forms Consent field. The payload leverages HTML tags like \u003ccode\u003e\u0026lt;svg\u0026gt;\u003c/code\u003e that \u003ccode\u003ewp_kses()\u003c/code\u003e will strip.\u003c/li\u003e\n\u003cli\u003eThe attacker submits the crafted form entry to the WordPress site.\u003c/li\u003e\n\u003cli\u003eThe Gravity Forms plugin\u0026rsquo;s state validation mechanism calculates two hashes: one for the raw input and another after sanitization via \u003ccode\u003ewp_kses()\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eDue to the nature of the XSS payload, the \u003ccode\u003ewp_kses()\u003c/code\u003e function strips the \u003ccode\u003e\u0026lt;svg\u0026gt;\u003c/code\u003e tag, resulting in a matching hash for the sanitized input.\u003c/li\u003e\n\u003cli\u003eThe flawed validation logic fails to detect the malicious intent because at least one hash matches the original state, allowing the malicious raw value (containing the XSS payload) to be stored in the database.\u003c/li\u003e\n\u003cli\u003eAn authenticated administrator logs into the WordPress administration panel.\u003c/li\u003e\n\u003cli\u003eThe administrator navigates to the Entries List page for the affected Gravity Form.\u003c/li\u003e\n\u003cli\u003eThe stored malicious consent label is retrieved from the database and output without proper escaping, causing the XSS payload to execute within the administrator\u0026rsquo;s browser session.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-5113 allows unauthenticated attackers to execute arbitrary web scripts within the context of an authenticated administrator\u0026rsquo;s browser session. This can lead to a variety of malicious outcomes, including account compromise, data theft, modification of website content, or further propagation of the attack to other administrative users. The severity of the impact depends on the privileges held by the compromised administrator account.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the Gravity Forms plugin to the latest version, which includes a fix for CVE-2026-5113.\u003c/li\u003e\n\u003cli\u003eImplement a Web Application Firewall (WAF) rule to filter out requests containing potentially malicious XSS payloads targeting the Gravity Forms Consent field.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious activity related to form submissions containing encoded or obfuscated JavaScript code. Analyze HTTP request parameters for unusual characters or patterns indicative of XSS attempts.\u003c/li\u003e\n\u003cli\u003eEnable output escaping on form entries to prevent stored XSS attacks.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-02T06:16:04Z","date_published":"2026-05-02T06:16:04Z","id":"/briefs/2026-05-gravityforms-xss/","summary":"The Gravity Forms plugin for WordPress is vulnerable to stored cross-site scripting (XSS) via Consent field hidden inputs, allowing unauthenticated attackers to inject arbitrary web scripts that execute when an administrator views the entries list page.","title":"Gravity Forms Plugin Stored XSS Vulnerability (CVE-2026-5113)","url":"https://feed.craftedsignal.io/briefs/2026-05-gravityforms-xss/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["mckenziearts/livewire-markdown-editor (\u003c 1.3)","DigitalOcean Spaces","Cloudflare R2","Scaleway Object Storage"],"_cs_severities":["high"],"_cs_tags":["arbitrary-file-upload","stored-xss","vulnerability"],"_cs_type":"advisory","_cs_vendors":["DigitalOcean","Cloudflare","Scaleway"],"content_html":"\u003cp\u003eVersions of \u003ccode\u003emckenziearts/livewire-markdown-editor\u003c/code\u003e prior to v1.3 are vulnerable to arbitrary file upload via the \u003ccode\u003eMarkdownEditor::updatedAttachments()\u003c/code\u003e Livewire handler. This handler lacks server-side validation for file types, extensions, and content. An authenticated user with access to a page embedding the markdown editor can upload malicious files (e.g., \u003ccode\u003e.html\u003c/code\u003e, \u003ccode\u003e.svg\u003c/code\u003e, \u003ccode\u003e.js\u003c/code\u003e) to the disk configured by \u003ccode\u003elivewire-markdown-editor.disk\u003c/code\u003e. If this disk is a public cloud storage bucket (S3, DigitalOcean Spaces, Cloudflare R2, Scaleway Object Storage), the uploaded files are publicly accessible with a guessed \u003ccode\u003eContent-Type\u003c/code\u003e header. This vulnerability allows attackers to perform stored XSS, host phishing pages, distribute malware, and inject malicious markdown. A real-world exploitation was observed in production.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains access to an application using a vulnerable version of \u003ccode\u003emckenziearts/livewire-markdown-editor\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker navigates to a page embedding the \u003ccode\u003e\u0026lt;livewire:markdown-editor\u0026gt;\u003c/code\u003e component.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the file upload functionality of the editor to upload a malicious file, such as a \u003ccode\u003e.html\u003c/code\u003e or \u003ccode\u003e.svg\u003c/code\u003e file containing XSS payloads.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eMarkdownEditor::updatedAttachments()\u003c/code\u003e Livewire handler processes the uploaded file without proper validation.\u003c/li\u003e\n\u003cli\u003eThe handler stores the file on the disk configured by \u003ccode\u003elivewire-markdown-editor.disk\u003c/code\u003e (e.g., a public cloud bucket like S3, DigitalOcean Spaces, Cloudflare R2, Scaleway Object Storage).\u003c/li\u003e\n\u003cli\u003eThe uploaded file becomes publicly accessible on the storage domain.\u003c/li\u003e\n\u003cli\u003eA user visits the URL of the uploaded malicious file, triggering the XSS payload or accessing the phishing page.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their objective, such as stealing user credentials, redirecting users to malicious websites, or compromising the application\u0026rsquo;s integrity.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability can lead to several critical impacts. Stored XSS on the storage domain can allow attackers to steal user credentials or perform other malicious actions in the context of the application. Phishing pages hosted on the application\u0026rsquo;s storage domain can trick users into revealing sensitive information. Malware distribution from a domain users trust can lead to widespread infections. Additionally, markdown injection via crafted filenames can compromise the integrity of the editor\u0026rsquo;s output. A real-world exploitation of this vulnerability was observed in production on a community platform using this package.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to \u003ccode\u003emckenziearts/livewire-markdown-editor\u003c/code\u003e v1.3 or later to patch the vulnerability.\u003c/li\u003e\n\u003cli\u003eIf immediate upgrading is not feasible, disable the upload UI on every instance of the editor by passing \u003ccode\u003e:show-upload=\u0026quot;false\u0026quot;\u003c/code\u003e. This prevents the vulnerable code path from being reached.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs (category \u003ccode\u003ewebserver\u003c/code\u003e, product \u003ccode\u003elinux\u003c/code\u003e) for requests to the storage domain for unusual file extensions like \u003ccode\u003e.html\u003c/code\u003e, \u003ccode\u003e.svg\u003c/code\u003e, \u003ccode\u003e.js\u003c/code\u003e, \u003ccode\u003e.php\u003c/code\u003e, or \u003ccode\u003e.exe\u003c/code\u003e, which could indicate attempted exploitation.\u003c/li\u003e\n\u003cli\u003eImplement the file upload detection rule to identify potentially malicious file uploads to the storage domain.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"/briefs/2024-01-02-livewire-markdown-editor-upload/","summary":"The livewire-markdown-editor versions before v1.3 contain an arbitrary file upload vulnerability in the MarkdownEditor::updatedAttachments() Livewire handler, allowing authenticated users to upload any file type, potentially leading to stored XSS, phishing, malware distribution, and markdown injection.","title":"livewire-markdown-editor Arbitrary File Upload Vulnerability","url":"https://feed.craftedsignal.io/briefs/2024-01-02-livewire-markdown-editor-upload/"}],"language":"en","title":"CraftedSignal Threat Feed — Stored-Xss","version":"https://jsonfeed.org/version/1.1"}