CVE-2025-26989: 
WordPress vulnerability analysis and mitigation

A Stored Cross-Site Scripting (XSS) vulnerability was discovered in softdiscover's Zigaform – Form Builder Lite WordPress plugin, affecting versions through 7.4.2. The vulnerability was initially reported on January 17, 2025, by security researcher Abdi Pranata, and was publicly disclosed on February 23, 2025. The issue was assigned CVE-2025-26989 and relates to improper neutralization of input during web page generation (Patchstack, NVD).

The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation). It received a CVSS v3.1 base score of 6.1 (Medium) from NIST with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N, while Patchstack assessed it with a higher CVSS score of 7.1 (High) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L. The vulnerability is particularly concerning as it can be exploited without authentication (NVD, Patchstack).

The vulnerability allows malicious actors to inject malicious scripts, including redirects, advertisements, and other HTML payloads into the website. These injected scripts are executed when visitors access the affected site, potentially compromising user security and website integrity (Patchstack).

The vulnerability has been fixed in version 7.4.3 of the plugin. Users are strongly advised to update to this version or later immediately. For users unable to update immediately, Patchstack has issued a virtual patch to mitigate this issue by blocking potential attacks until the update can be applied (Patchstack).