CVE-2026-9253 in Cost Estimation & Payment Forms Builder Plugininfo

Summary

by MITRE • 07/09/2026

The WP Cost Estimation & Payment Forms Builder (E&P Forms) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'customerInfos' parameter in all versions up to, and including, 10.5.97 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Analysis

by VulDB Data Team • 07/09/2026

The WP Cost Estimation & Payment Forms Builder plugin presents a critical stored cross-site scripting vulnerability that affects all versions up to and including 10.5.97. This security flaw exists within the plugin's handling of the 'customerInfos' parameter, which fails to properly sanitize user input before processing. The vulnerability stems from inadequate validation mechanisms that allow malicious actors to inject malicious scripts into the plugin's data handling processes, creating a persistent threat vector that can affect any user who accesses affected pages.

The technical implementation of this vulnerability demonstrates a classic stored XSS flaw where attacker-controlled data flows through the application's input validation layers and is subsequently rendered in web pages without proper output escaping. When users access pages containing the maliciously injected content, their browsers execute the embedded scripts within the context of their current session, potentially compromising user credentials, session tokens, or other sensitive information. This vulnerability specifically aligns with CWE-79 which defines cross-site scripting as a common weakness where untrusted data is incorporated into web page content without proper validation or encoding.

The operational impact of this vulnerability extends beyond simple script execution as it provides attackers with persistent access to user sessions and potentially allows for privilege escalation within the WordPress environment. Unauthenticated attackers can exploit this flaw to inject malicious code that executes whenever legitimate users view affected pages, creating a stealthy attack vector that can remain undetected for extended periods. The stored nature of the vulnerability means that once injected, malicious payloads persist until manually removed from the database, making detection and remediation more challenging for system administrators.

Security professionals should implement immediate mitigations including input validation and output escaping measures to prevent unauthorized script injection. The recommended defense-in-depth approach includes validating all user inputs against expected formats, implementing proper HTML escaping for all dynamic content, and regularly monitoring plugin installations for suspicious activity. Organizations should also consider implementing web application firewalls and security monitoring solutions that can detect and block malicious script injection attempts. This vulnerability specifically maps to attack techniques described in the ATT&CK framework under web application attacks where adversaries leverage input validation flaws to execute malicious code in user browsers.

Responsible

Wordfence

Reservation

05/21/2026

Disclosure

07/09/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Might our Artificial Intelligence support you?

Check our Alexa App!