CVE-2025-14855
SureForms <= 2.2.0 - Unauthenticated Stored Cross-Site ScriptingThe SureForms plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the form field parameters in all versions up to, and including, 2.2.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
We have discovered 8,477 live websites that are affected by CVE-2025-14855.
Affected Software
| Product |  SureForms |
| Category | Wordpress Plugins |
| Vulnerable Domains | 8,477 live websites (93% of SureForms install base) |
| Vulnerable Versions |
|
| Vulnerable Versions Count | 51 versions ( 94% of all versions) |
Common Weakness Enumeration
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')Details
- Published - Dec 21, 2025
- Updated - Dec 22, 2025
Credits
- Tiến Dũng Nguyễn (finder)
CVE References
CWE References
CWE
Website Distribution by Country
Number of websites using CVE-2025-14855 United States | 2,866 websites |
 Germany | 1,476 websites |
 Cyprus | 692 websites |
 France | 417 websites |
 GB | 301 websites |
 Netherlands | 250 websites |
 India | 235 websites |
 Canada | 218 websites |
 Spain | 183 websites |
 Poland | 175 websites |
Website Distribution by TLD
Number of websites using CVE-2025-14855| .com | 4,128 websites |
| .de | 684 websites |
| .org | 406 websites |
| .net | 307 websites |
| .fr | 264 websites |
| .nl | 253 websites |
| .com.br | 168 websites |
| .co.uk | 158 websites |
| .pl | 140 websites |
| .it | 136 websites |
Vulnerable Versions
Vulnerable versions are highlighted in redWebsites affected by CVE-2025-14855
Top websites that are affected by CVE-2025-14855. Please click on the "Contact us" link to get more information.| Domain | Country | Rank | Contacts |
|---|---|---|---|
| *****************.com | United States | **,*** | |
| **************.be |  Belgium | **,*** | |
| ********.com | United States | **,*** | |
| **********.net | United States | **,*** | |
| **************.com | United States | **,*** | |
| ****************.com | United States | **,*** | |
| ************.org | Germany | ***,*** | |
| *******************.com |  Bulgaria | ***,*** | |
| *********.com | United States | ***,*** | |
| ***********.nl | Netherlands | ***,*** |
FAQ
CVE-2025-14855 is Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in SureForms
A total of 8,477 websites have been identified as vulnerable to CVE-2025-14855, based on global website indexing conducted by WebTechSurvey.
The SureForms is affected by the CVE-2025-14855 vulnerability.
SureForms versions up to and including 2.2 are vulnerable to CVE-2025-14855.