CVE-2025-2561: 
WordPress vulnerability analysis and mitigation

The Ninja Forms WordPress plugin versions before 3.10.1 contains a stored Cross-Site Scripting (XSS) vulnerability identified as CVE-2025-2561. The vulnerability was discovered and disclosed on April 28, 2025, affecting the plugin's settings functionality where certain parameters are not properly sanitized and escaped (WPScan, Wiz).

The vulnerability is classified as a Stored Cross-Site Scripting (XSS) issue with a CVSS v3.1 base score of 4.8 (Medium). The flaw specifically exists in the Custom HTML field functionality where some settings are not properly sanitized and escaped. This security issue can be exploited even when the unfiltered_html capability is disallowed, such as in multisite setups (WPScan, NVD).

When successfully exploited, this vulnerability allows high-privilege users such as administrators to perform Stored Cross-Site Scripting attacks. The malicious scripts can be triggered in two scenarios: when accessing a page or post where the affected form is embedded, and when another administrator edits the form and clicks on the HTML block (WPScan, Wiz).

The vulnerability has been patched in Ninja Forms version 3.10.1. Users are strongly advised to update to this version or later to mitigate the security risk (WPScan, Wiz).