Login Sign Up

CVE-2023-7063

7.2 HIGH
Cross-Site Scripting

📋 TL;DR

This vulnerability allows unauthenticated attackers to inject malicious scripts into WordPress sites using WPForms Pro plugin. When users visit pages containing these injected forms, the scripts execute automatically, potentially stealing credentials or performing unauthorized actions. All WordPress sites using WPForms Pro versions up to 1.8.5.3 are affected.

💻 Affected Systems

Products:
  • WPForms Pro WordPress Plugin
Versions: All versions up to and including 1.8.5.3
Operating Systems: All operating systems running WordPress
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects WPForms Pro (premium version), not the free WPForms Lite plugin. Requires the plugin to be active and forms to be publicly accessible.

📦 What is this software?

Wpforms by Wpforms

View all CVEs affecting Wpforms →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal administrator credentials, take over the WordPress site, install backdoors, deface the site, or redirect visitors to malicious sites.

🟠

Likely Case

Attackers inject malicious scripts that steal user session cookies, redirect users to phishing pages, or display unwanted advertisements.

🟢

If Mitigated

With proper input validation and output escaping, the scripts would be rendered harmless as text rather than executable code.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires submitting specially crafted form data that gets stored and later displayed without proper sanitization.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.8.5.4

Vendor Advisory: https://wpforms.com/docs/how-to-view-recent-changes-to-the-wpforms-plugin-changelog/#1-8-5-4-2023-12-27

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find WPForms Pro and click 'Update Now'. 4. Verify version shows 1.8.5.4 or higher.

🔧 Temporary Workarounds

Disable WPForms Pro Plugin

all

Temporarily disable the vulnerable plugin until patched

wp plugin deactivate wpforms-pro

Restrict Form Access

all

Use WordPress access controls to restrict form submissions to authenticated users only

🧯 If You Can't Patch

  • Implement a Web Application Firewall (WAF) with XSS protection rules
  • Monitor form submissions for suspicious script-like patterns and block malicious IPs

🔍 How to Verify

Check if Vulnerable:

Check WPForms Pro version in WordPress admin under Plugins → Installed Plugins

Check Version:

wp plugin get wpforms-pro --field=version

Verify Fix Applied:

Verify WPForms Pro version is 1.8.5.4 or higher and test form submissions with basic XSS payloads

📡 Detection & Monitoring

Log Indicators:

  • Unusual form submissions containing script tags or JavaScript code
  • Multiple failed form submissions from same IP

Network Indicators:

  • HTTP POST requests to wp-admin/admin-ajax.php with suspicious parameters
  • Form submissions containing <script> tags

SIEM Query:

source="wordpress" AND ("wpforms" OR "admin-ajax.php") AND ("<script>" OR "javascript:" OR "onerror=" OR "onload=")

📊 Metadata

CVE ID: CVE-2023-7063
CVSS v3 Score: 7.2 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
CWE: CWE-79
Published: January 20, 2024
Last Updated: May 30, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-7063, you might also want to check these:

CVE-2021-39199 10.0

CVE-2021-39199 is a critical cross-site scripting (XSS) vulnerability in the remark-html Node.js lib...

Same vulnerability type (CWE-79)
CVE-2021-32671 10.0

This vulnerability in Flarum forum software allows attackers to inject malicious HTML/JavaScript int...

Same vulnerability type (CWE-79)
CVE-2021-32798 10.0

CVE-2021-32798 is a critical vulnerability in Jupyter Notebook that allows malicious notebook files ...

Same vulnerability type (CWE-79)