<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Loopus - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/vendors/loopus/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Thu, 09 Jul 2026 12:19:14 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/vendors/loopus/feed.xml" rel="self" type="application/rss+xml"/><item><title>CVE-2026-9253: WordPress E&amp;P Forms Plugin Stored Cross-Site Scripting</title><link>https://feed.craftedsignal.io/briefs/2026-07-cve-2026-9253-wordpress-xss/</link><pubDate>Thu, 09 Jul 2026 12:19:14 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-cve-2026-9253-wordpress-xss/</guid><description>An unauthenticated attacker can inject arbitrary web scripts into WordPress sites running the 'WP Cost Estimation &amp; Payment Forms Builder' plugin version 10.5.97 and earlier by exploiting CVE-2026-9253, a Stored Cross-Site Scripting vulnerability via the 'customerInfos' parameter, leading to script execution in users' browsers and potential session hijacking or data theft.</description><content:encoded><![CDATA[<p>The 'WP Cost Estimation &amp; Payment Forms Builder' (E&amp;P Forms) plugin for WordPress, specifically versions up to and including 10.5.97, contains a critical Stored Cross-Site Scripting (XSS) vulnerability, identified as CVE-2026-9253. This flaw stems from insufficient input sanitization and output escaping when handling the 'customerInfos' parameter. Unauthenticated attackers can leverage this vulnerability to inject malicious web scripts into the plugin's data, which are then stored within the WordPress site's database. When a legitimate user, such as an administrator or another visitor, accesses a page where this unsanitized data is rendered, their browser will execute the injected script. This allows for various malicious activities including session hijacking, defacement of web pages, or redirection to phishing sites, posing a significant risk to the integrity and user data of affected WordPress installations.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An unauthenticated attacker identifies a WordPress site utilizing the vulnerable 'WP Cost Estimation &amp; Payment Forms Builder' plugin (version 10.5.97 or earlier).</li>
<li>The attacker crafts a malicious JavaScript payload (e.g., <code>&lt;script&gt;alert(document.cookie)&lt;/script&gt;</code>) targeting the 'customerInfos' parameter.</li>
<li>The attacker sends an HTTP POST request to a relevant plugin endpoint (e.g., a form submission page within the plugin) with the <code>customerInfos</code> parameter containing the malicious script.</li>
<li>Due to the plugin's inadequate input sanitization and output escaping, the WordPress site's database stores the attacker's malicious JavaScript payload.</li>
<li>A legitimate user (e.g., site administrator or another website visitor) subsequently navigates to a WordPress page that displays or processes the compromised 'customerInfos' data.</li>
<li>The victim's web browser receives the rendered HTML, which now includes the attacker's injected JavaScript, and executes it in the context of the vulnerable WordPress domain.</li>
<li>The executed script can steal the user's session cookies, perform unauthorized actions on their behalf, deface the web page, or redirect the user to an attacker-controlled website.</li>
<li>The attacker successfully compromises the victim's session or manipulates website content, potentially leading to further compromise or data exfiltration.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>The successful exploitation of CVE-2026-9253 allows unauthenticated attackers to inject persistent malicious scripts into a WordPress site. This Stored XSS vulnerability can lead to severe consequences for the site and its users. Attackers can hijack user sessions, including those of administrators, granting them unauthorized access to the WordPress backend. This could result in complete website defacement, data theft from visitors, insertion of malicious content, or redirection to phishing and malware distribution sites. Any user accessing a page affected by the stored script is at risk, making this a widespread threat to organizations using the vulnerable plugin.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Immediately update the 'WP Cost Estimation &amp; Payment Forms Builder' plugin to a version greater than 10.5.97 to patch CVE-2026-9253.</li>
<li>Implement a Web Application Firewall (WAF) with rules specifically designed to detect and block common Stored Cross-Site Scripting (XSS) payloads in HTTP request parameters.</li>
<li>Regularly review web server access logs for any suspicious HTTP POST requests containing script tags or common XSS patterns in parameters, particularly those related to the plugin's endpoints.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>wordpress</category><category>xss</category><category>web-vulnerability</category><category>plugin</category></item></channel></rss>