CVE-2018-7747

MEDIUM

Caldera Forms < 1.6.0-rc.1 - Stored Cross-Site Scripting via Greeting Message, Email Log, or Imported Form

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2018-7747. PoCs published by Federico Scalco, mindpr00f.

AI-analyzed exploit summary This is a detailed writeup describing multiple stored XSS vulnerabilities in CalderaForms 1.5.9.1. It explains the conditions required for exploitation, provides step-by-step replication instructions, and outlines remediation steps.

Description

Multiple cross-site scripting (XSS) vulnerabilities in the Caldera Forms plugin before 1.6.0-rc.1 for WordPress allow remote attackers to inject arbitrary web script or HTML via vectors involving (1) a greeting message, (2) the email transaction log, or (3) an imported form.

Exploits (2)

exploitdb WRITEUP
by Federico Scalco · textwebappsphp
https://www.exploit-db.com/exploits/44489

This is a detailed writeup describing multiple stored XSS vulnerabilities in CalderaForms 1.5.9.1. It explains the conditions required for exploitation, provides step-by-step replication instructions, and outlines remediation steps.

Classification
Writeup 100%
Attack Type
Xss
Complexity
Moderate
Reliability
Reliable
Target: CalderaForms 1.5.9.1
No auth needed
Prerequisites: Form settings configured to include user-supplied data in success messages · Admin interface with debug mailer enabled for one of the attack vectors
MITRE ATT&CK
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WRITEUP
by mindpr00f · poc
https://github.com/mindpr00f/CVE-2018-7747

This repository provides a detailed tutorial on exploiting CVE-2018-7747, a stored XSS vulnerability in CalderaForms 1.5.9.1. It includes setup instructions, vulnerability analysis, and proof-of-concept steps demonstrating how unsanitized user input in form fields can lead to arbitrary JavaScript execution.

Classification
Writeup 100%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: CalderaForms WordPress plugin 1.5.9.1
No auth needed
Prerequisites: WordPress with CalderaForms 1.5.9.1 installed · Form configured to display user input in success message
MITRE ATT&CK
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (5)

Core 5
Core References
Product, Release Notes x_refsource_confirm
https://wordpress.org/plugins/caldera-forms/#developers
Release Notes, Vendor Advisory x_refsource_confirm
https://calderaforms.com/updates/caldera-forms-1-6-0/#security
Third Party Advisory, VDB Entry exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/44489/

Scores

CVSS v3 4.8
EPSS 0.0458
EPSS Percentile 90.4%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

Details

CWE
CWE-79
Status published
Products (1)
calderalabs/caldera_forms < 1.5.9
Published Apr 20, 2018
Tracked Since Feb 18, 2026