Vendor
An unauthenticated attacker can inject arbitrary web scripts into WordPress sites running the 'WP Cost Estimation & Payment Forms Builder' plugin version 10.5.97 and earlier by exploiting CVE-2026-9253, a Stored Cross-Site Scripting vulnerability via the 'customerInfos' parameter, leading to script execution in users' browsers and potential session hijacking or data theft.