CVE-2026-2707

Name of the Vulnerable Software and Affected Versions weForms versions up to and including 1.6.27

Description The weForms plugin for WordPress is susceptible to Stored Cross-Site Scripting through the REST API entry submission endpoint. This occurs because of inconsistent input sanitization between the frontend AJAX handler and the REST API endpoint. When entries are submitted via the REST API, the prepare entry() method in class-abstract-fields.php receives the WP REST Request object as $args, bypassing the sanitization process applied to $ POST data for frontend submissions. The base field handler only applies trim() to the value. This allows authenticated attackers with Subscriber-level access or higher to inject malicious web scripts into form entry hidden field values via the REST API endpoint: /wp-json/weforms/v1/forms/{id}/entries/. These scripts execute when an administrator views the form entries page, where data is rendered using a Vue.js v-html directive without proper escaping.

Recommendations Update weForms to a version later than 1.6.27.