WP Cost Estimation & Payment Forms Builder Stored XSS Vulnerability
The WP Cost Estimation & Payment Forms Builder (E&P Forms) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'customerInfos' parameter in all versions up to, and including, 10.5.97 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Quick answer
Loopus WP Cost Estimation & Payment Forms Builder should be reviewed and updated if it matches the affected versions. The recommended fix is to apply the vendor-supported patched version or the mitigation steps below, then retest the public website with Fixnx.
Who is affected
Affected versions
- WP Cost Estimation & Payment Forms Builder up to and including 10.5.97
Fixed versions
- Apply the latest patched plugin release after 10.5.97
How to fix it
WP Cost Estimation & Payment Forms Builder is affected by stored XSS through the customerInfos parameter up to version 10.5.97. Update the plugin to a patched release and review forms that display submitted customer information. Because unauthenticated attackers can inject scripts, prioritize public forms and checkout-related workflows.
- Inventory WordPress sites using WP Cost Estimation & Payment Forms Builder.
- Update the plugin to the latest patched release after 10.5.97.
- Review submitted form entries, customerInfos values, pages, and generated estimates for stored script payloads.
- Enable output escaping and input sanitization for all customer information fields.
- Clear WordPress caches, page caches, CDN caches, and object caches after removing malicious content.
- Review admin sessions, user creation, plugin changes, and payment form changes for XSS-driven compromise.
- Rotate administrator passwords and API/payment integration secrets if privileged users viewed injected pages.
Scan now. Google sign-in is only needed to unlock fix guidance.
Verify the fix
- Confirm the plugin version is patched beyond 10.5.97.
- Validate stored XSS payloads in customerInfos are escaped or removed.
- Review WordPress, web server, and WAF logs for suspicious form submissions.
- Test cost estimation, payment form, and customer display workflows after the update.
- Run a Fixnx scan and confirm public WordPress pages do not execute injected scripts.
Related categories
Trusted references
FAQ
What is affected by CVE-2026-9253?
Loopus WP Cost Estimation & Payment Forms Builder versions listed as affected should be reviewed: WP Cost Estimation & Payment Forms Builder up to and including 10.5.97.
What should I fix first?
Start with internet-facing sites, admin panels, login flows, plugins, themes, modules, packages, and systems that process user-controlled input or sensitive data.
How do I confirm the fix worked?
Apply the patched version or mitigation, clear caches where relevant, retest the affected workflow, and run a new Fixnx scan to verify public website exposure signals.
Why can this risk appear in multiple categories?
A vulnerability can belong to more than one platform or ecosystem. Fixnx keeps one canonical risk page while also listing it in every relevant category.
