CVE-2024-7056
WPForms < 1.9.1.6 - Admin+ Stored XSSThe WPForms WordPress plugin before 1.9.1.6 does not sanitise and escape some of its settings, which could allow high privilege users such as Admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
We have discovered 172,551 live websites that are affected by CVE-2024-7056.
Affected Software
| Product |  WPForms |
| Category | Form Builders |
| Vulnerable Domains | 172,551 live websites (36% of WPForms install base) |
| Vulnerable Versions |
|
| Vulnerable Versions Count | 180 versions ( 84% of all versions) |
Common Weakness Enumeration
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')Details
- Published - Nov 25, 2024
- Updated - Nov 13, 2025
Credits
- Dmitrii Ignatyev (finder)
- WPScan (coordinator)
CVE References
CWE References
CWE
Website Distribution by Country
Number of websites using CVE-2024-7056 United States | 48,325 websites |
 Germany | 17,518 websites |
 France | 9,743 websites |
 GB | 8,808 websites |
 Italy | 6,445 websites |
 Netherlands | 5,063 websites |
 Spain | 4,651 websites |
 India | 4,525 websites |
 Brazil | 4,432 websites |
 Poland | 4,016 websites |
Website Distribution by TLD
Number of websites using CVE-2024-7056| .com | 74,068 websites |
| .de | 8,901 websites |
| .org | 7,801 websites |
| .co.uk | 5,145 websites |
| .nl | 4,620 websites |
| .it | 4,587 websites |
| .fr | 4,145 websites |
| .com.br | 4,071 websites |
| .net | 3,694 websites |
| .pl | 3,018 websites |
Vulnerable Versions
Vulnerable versions are highlighted in redWebsites affected by CVE-2024-7056
Top websites that are affected by CVE-2024-7056. Please click on the "Contact us" link to get more information.| Domain | Country | Rank | Contacts |
|---|---|---|---|
| ****************.com | United States | *,*** | |
| ******.com | United States | *,*** | |
| ******.com | United States | *,*** | |
| *******.org | Germany | *,*** | |
| *************.com | United States | *,*** | |
| ****.bg |  Bulgaria | *,*** | |
| ****************.org | United States | **,*** | |
| ***********.com | Italy | **,*** | |
| *********************.es | Spain | **,*** | |
| *********.com | United States | **,*** |
FAQ
CVE-2024-7056 is Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in WPForms
A total of 172,551 websites have been identified as vulnerable to CVE-2024-7056, based on global website indexing conducted by WebTechSurvey.
The WPForms is affected by the CVE-2024-7056 vulnerability.
WPForms versions up to 1.9.1.6 are vulnerable to CVE-2024-7056.
CVE-2024-7056 is resolved in version 1.9.1.6 of WPForms.