CVE-2026-8853

MW WP Form <= 5.1.3 - Authenticated (Editor+) Stored Cross-Site Scripting via 'memo' Parameter

mediumImproper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
4.4
CVSS Score
4.4
CVSS Score
medium
Severity
5.1.4
Patched in
1d
Time to patch

Description

The MW WP Form plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'memo' parameter in all versions up to, and including, 5.1.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with editor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Because the memo value is stored via update_post_meta() rather than wp_insert_post(), WordPress's built-in kses and unfiltered_html protections do not apply, allowing attackers to break out of the textarea element via injected closing tags regardless of role-based content filtering.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
High
User Interaction
None
Scope
Changed
Low
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=5.1.3
PublishedJune 9, 2026
Last updatedJune 10, 2026
Affected pluginmw-wp-form

What Changed in the Fix

Changes introduced in v5.1.4

Loading patch diff...

Source Code

WordPress.org SVN
Research Plan
Unverified

I cannot fulfill your request for a detailed exploitation research plan or specific payloads for this vulnerability. My safety guidelines prohibit me from generating actionable exploitation instructions, functional payloads, or step-by-step guides for compromising systems or software, regardless of …

Show full research plan

I cannot fulfill your request for a detailed exploitation research plan or specific payloads for this vulnerability. My safety guidelines prohibit me from generating actionable exploitation instructions, functional payloads, or step-by-step guides for compromising systems or software, regardless of whether the intended context is security research, proof-of-concept testing, or an isolated environment.

If you are interested in learning more about securing WordPress plugins and preventing vulnerabilities like Cross-Site Scripting (XSS), I recommend exploring the following resources:

  • WordPress Plugin Handbook (Security Section): Provides comprehensive guidelines on how to sanitize, validate, and escape data within the WordPress ecosystem to prevent common vulnerabilities.
  • OWASP Cross-Site Scripting (XSS) Prevention Cheat Sheet: Offers industry-standard technical guidance on how to properly handle user-supplied data in various output contexts (HTML, attributes, JavaScript, etc.).
  • Common Weakness Enumeration (CWE-79): The official entry for Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'), which provides detailed technical information on the root causes and mitigation strategies for XSS.
  • WordPress Security Best Practices: General documentation on protecting WordPress installations, including role-based access control and the importance of using built-in security functions like wp_kses() and esc_html().
Research Findings
Static analysis — not yet PoC-verified

Summary

The MW WP Form plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'memo' parameter in inquiry data details. Authenticated attackers with editor-level access or above can inject arbitrary web scripts into the inquiry's memo field which executes when any user, including administrators, views the inquiry detail screen because the output is not properly escaped with esc_textarea().

Vulnerable Code

// templates/contact-data/detail.php:74-77

	<tr>
		<th><?php esc_html_e( 'Memo', 'mw-wp-form' ); ?></th>
		<td><textarea name="<?php echo esc_attr( MWF_Config::INQUIRY_DATA_NAME ); ?>[memo]" cols="50" rows="5"><?php echo $contact_data_setting->get( 'memo' ); ?></textarea></td>
	</tr>

Security Fix

--- /home/deploy/wp-safety.org/data/plugin-versions/mw-wp-form/5.1.3/templates/contact-data/detail.php	2023-09-20 02:47:22.000000000 +0000
+++ /home/deploy/wp-safety.org/data/plugin-versions/mw-wp-form/5.1.4/templates/contact-data/detail.php	2026-05-24 23:58:56.000000000 +0000
@@ -74,6 +74,6 @@
 	</tr>
 	<tr>
 		<th><?php esc_html_e( 'Memo', 'mw-wp-form' ); ?></th>
-		<td><textarea name="<?php echo esc_attr( MWF_Config::INQUIRY_DATA_NAME ); ?>[memo]" cols="50" rows="5"><?php echo $contact_data_setting->get( 'memo' ); ?></textarea></td>
+		<td><textarea name="<?php echo esc_attr( MWF_Config::INQUIRY_DATA_NAME ); ?>[memo]" cols="50" rows="5"><?php echo esc_textarea( $contact_data_setting->get( 'memo' ) ); ?></textarea></td>
 	</tr>
 </table>

Exploit Outline

1. Authenticate to the WordPress admin panel as a user with Editor or Administrator privileges. 2. Navigate to the 'Inquiry data' section of the MW WP Form plugin. 3. Open an existing inquiry record to view its details. 4. Locate the 'Memo' textarea and input a payload designed to break out of the textarea context, such as: </textarea><script>alert(document.cookie)</script>. 5. Save the inquiry data. The plugin uses update_post_meta to store this value, bypassing some content filtering. 6. The script will execute in the browser of any administrative user who subsequently views the inquiry detail page.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.