PT-2026-56792 · WordPress · Loopus Wp Cost Estimation & Payment Forms Builder

Luc Huynh

·

Published

2026-07-09

·

Updated

2026-07-09

·

CVE-2026-9253

CVSS v3.1

7.2

High

VectorAV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
Name of the Vulnerable Software and Affected Versions WP Cost Estimation & Payment Forms Builder (E&P Forms) versions prior to 10.5.98
Description Stored Cross-Site Scripting occurs due to insufficient input sanitization and output escaping. This allows unauthenticated attackers to inject arbitrary web scripts through the customerInfos parameter, which execute when a user accesses the affected page.
Recommendations Update the plugin to version 10.5.98 or later. As a temporary mitigation, restrict or sanitize the input provided to the customerInfos parameter.

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-9253

Affected Products

Loopus Wp Cost Estimation & Payment Forms Builder