CVE-2025-14855

HIGH

SureForms <= 2.2.0 - Unauthenticated Stored XSS via Form Field Parameters

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2025-14855. PoCs published by ch4r0nn.

AI-analyzed exploit summary This PoC demonstrates a stored XSS vulnerability in the SureForms WordPress plugin (CVE-2025-14855), where unauthenticated attackers can inject malicious JavaScript payloads via HTML entities, bypassing server-side sanitization and achieving execution via React's dangerouslySetInnerHTML.

Description

The SureForms plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the form field parameters in all versions up to, and including, 2.2.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Exploits (1)

nomisec WORKING POC 1 stars
by ch4r0nn · poc
https://github.com/ch4r0nn/CVE-2025-14855-POC

This PoC demonstrates a stored XSS vulnerability in the SureForms WordPress plugin (CVE-2025-14855), where unauthenticated attackers can inject malicious JavaScript payloads via HTML entities, bypassing server-side sanitization and achieving execution via React's dangerouslySetInnerHTML.

Classification
Working Poc 95%
Attack Type
Xss
Complexity
Moderate
Reliability
Reliable
Target: SureForms WordPress Plugin (version not specified)
No auth needed
Prerequisites: Target site running SureForms plugin · Access to a form submission endpoint
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3

Scores

CVSS v3 7.2
EPSS 0.0031
EPSS Percentile 22.7%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable yes
Technical Impact partial

Details

CWE
CWE-79
Status published
Products (1)
brainstormforce/SureForms – Contact Form, Payment Form & Other Custom Form Builder < 2.2.0
Published Dec 21, 2025
Tracked Since Feb 18, 2026