CVE-2025-5921: 
WordPress vulnerability analysis and mitigation

The SureForms WordPress plugin before version 1.7.2 contains a Reflected Cross-Site Scripting vulnerability (CVE-2025-5921). The vulnerability was discovered on July 11, 2025, and affects both authenticated and unauthenticated users (WPScan).

The vulnerability stems from improper sanitization and escaping of a parameter before it is output back in the page. The issue has been assigned a CVSS v3.1 base score of 5.8 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:L (NVD). The vulnerability is classified as CWE-79, which relates to Cross-Site Scripting (XSS) issues.

When exploited, this vulnerability allows attackers to execute arbitrary JavaScript code in the context of other users' browsers who visit specially crafted URLs. This could lead to theft of sensitive information, session hijacking, or other malicious actions performed in the context of the affected user's session (WPScan).

The vulnerability has been fixed in SureForms version 1.7.2. Users are advised to update to this version or later to mitigate the risk (WPScan).