{{ getCountryName( field.value ) }}
-
+
+
+ {{ field.value }}
diff --git a/assets/spa/components/component-table/template.php b/assets/spa/components/component-table/template.php
index a6c6614..3875fc9 100644
--- a/assets/spa/components/component-table/template.php
+++ b/assets/spa/components/component-table/template.php
@@ -81,7 +81,7 @@
{{ getCountryName( field.value ) }}
-
+
+
+ {{ field.value }}
diff --git a/includes/api/class-weforms-forms-controller.php b/includes/api/class-weforms-forms-controller.php
index 466763d..cf4b42a 100644
--- a/includes/api/class-weforms-forms-controller.php
+++ b/includes/api/class-weforms-forms-controller.php
@@ -255,7 +255,7 @@ public function save_check( $request ) {
$entry_fields = [];
foreach ( $form_fields as $key => $field ) {
- if ( $field['wpuf_cond']['condition_status'] == 'yes' ) {
+ if ( ! empty( $field['wpuf_cond'] ) && $field['wpuf_cond']['condition_status'] == 'yes' ) {
$logic = [];
$cond_fields = $field['wpuf_cond']['cond_field'];
$cond_operators = $field['wpuf_cond']['cond_operator'];
diff --git a/includes/class-form-entry.php b/includes/class-form-entry.php
index fb4240f..42edd47 100644
--- a/includes/class-form-entry.php
+++ b/includes/class-form-entry.php
@@ -142,7 +142,7 @@ public function populate_entry_data() {
$this->raw_fields[ $result->meta_key ]['value'] = $value;
if ( $field['type'] == 'textarea_field' ) {
- $value = weforms_format_text( $value );
+ $value = wp_kses_post( weforms_format_text( $value ) );
} elseif ( $field['type'] == 'name_field' ) {
$value = implode( ' ', explode( WeForms::$field_separator, $value ) );
} elseif ( in_array( $field['type'], [ 'dropdown_field', 'radio_field' ] ) ) {
@@ -180,16 +180,16 @@ public function populate_entry_data() {
if ( $field['type'] == 'image_upload' ) {
$thumb = wp_get_attachment_image( $attachment_id, 'thumbnail' );
} else {
- $thumb = get_post_field( 'post_title', $attachment_id );
+ $thumb = esc_html( get_post_field( 'post_title', $attachment_id ) );
}
- $full_size = wp_get_attachment_url( $attachment_id );
+ $full_size = esc_url( wp_get_attachment_url( $attachment_id ) );
$file_field .= sprintf( '%s ', $full_size, $thumb );
}
}
- $value = $file_field;
+ $value = wp_kses_post( $file_field );
} elseif ( $field['type'] == 'google_map' ) {
list( $address, $lat, $long ) = explode( '||', $value );
@@ -251,7 +251,7 @@ public function populate_entry_data() {
' . $column . '
';
+ $return .= '' . esc_html( $column ) . '
';
}
$return .= '
@@ -260,7 +260,7 @@ public function populate_entry_data() {
foreach ( $field['grid_rows'] as $row_key => $row_value ) {
$return .= '
- ';
foreach ( $field['grid_columns'] as $column ) {
- $return .= '
@@ -326,7 +326,7 @@ class="wpuf_' . $field['name'] . '_' . $this->form_id . '"
foreach ( $field['grid_rows'] as $row_key => $row_value ) {
$return .= '' . $row_value . '
';
+ ' . esc_html( $row_value ) . '
';
foreach ( $field['grid_columns'] as $column_key => $column_value ) {
if ( isset( $new_val[ $row_key ] ) ) {
@@ -317,7 +317,7 @@ class="wpuf_' . $field['name'] . '_' . $this->form_id . '"
' . $column . '
';
+ $return .= '' . esc_html( $column ) . '
';
}
$return .= '
-
', $serialized_value ); } } elseif ( $field['type'] == 'signature_field' ) { - $url = $value; - if ( isset( $_REQUEST['action'] ) != 'weforms_pdf_download' ) { - $url = content_url() . '/' . $value; + $url = esc_url( content_url() . '/' . $value ); $value = sprintf( '
', $url );
$value .= sprintf( 'Download', $url );
- }
- else{
+ } else {
+ $url = esc_url( $value );
$value = sprintf( '', $url );
}
+ $value = wp_kses_post( $value );
}
$this->fields[ $result->meta_key ]['value'] = apply_filters( 'weforms_entry_meta_field', $value, $field );
diff --git a/includes/class-form.php b/includes/class-form.php
index b488f2b..d856474 100644
--- a/includes/class-form.php
+++ b/includes/class-form.php
@@ -433,7 +433,6 @@ public function maybe_update_entries( $form_fields ) {
public function get_changed_fields( $form_fields ) {
$changed_fields = array();
foreach ( $form_fields as $field ) {
- $org_field = $field['original_name'];
// All form fields should have an original name.
if ( empty( $field['original_name'] ) ) {
continue;
diff --git a/includes/class-notification.php b/includes/class-notification.php
index a1256e5..9a47900 100644
--- a/includes/class-notification.php
+++ b/includes/class-notification.php
@@ -602,6 +602,7 @@ public static function replace_name_tag( $text, $entry_id ) {
* @return string
*/
public static function replace_file_tags( $text, $entry_id ) {
+ $text = $text ?? '';
$pattern = '/{(?:image|file):(\w*)}/';
preg_match_all( $pattern, $text, $matches );
diff --git a/includes/fields/class-abstract-fields.php b/includes/fields/class-abstract-fields.php
index ef6ffd6..6f9c45f 100644
--- a/includes/fields/class-abstract-fields.php
+++ b/includes/fields/class-abstract-fields.php
@@ -539,13 +539,18 @@ public function prepare_entry( $field, $args = [] ) {
wp_send_json_error( __( 'Unauthorized operation', 'weforms' ) );
}
- $args = ! empty( $args ) ? $args : weforms_clean( $_POST );
- $value = !empty( $args[$field['name']] ) ? $args[$field['name']] : '';
+ if ( $args instanceof WP_REST_Request ) {
+ $args = weforms_clean( $args->get_params() );
+ } elseif ( empty( $args ) ) {
+ $args = weforms_clean( $_POST );
+ }
+
+ $value = ! empty( $args[ $field['name'] ] ) ? $args[ $field['name'] ] : '';
if ( is_array( $value ) ) {
- $entry_value = implode( WeForms::$field_separator, $args[$field['name']] );
+ $entry_value = implode( WeForms::$field_separator, $value );
} else {
- $entry_value = trim( $value );
+ $entry_value = sanitize_textarea_field( trim( $value ) );
}
return $entry_value;
diff --git a/includes/functions.php b/includes/functions.php
index 6a8eab8..bb06dc0 100644
--- a/includes/functions.php
+++ b/includes/functions.php
@@ -621,7 +621,7 @@ function weforms_get_form_field_labels( $form_id ) {
}
$data[ $field['name'] ] = [
- 'label' => $field['label'],
+ 'label' => $field['label'] ?? '',
'type' => $field['template'],
];
}
@@ -715,6 +715,7 @@ function weforms_get_browser() {
$bname = 'Unknown';
$platform = 'Unknown';
$version = '';
+ $ub = '';
// first get the platform
if ( preg_match( '/linux/i', $u_agent ) ) {
diff --git a/package.json b/package.json
index b067070..eed7df9 100644
--- a/package.json
+++ b/package.json
@@ -1,7 +1,7 @@
{
"name": "weForms",
"author": "BoldGrid",
- "version": "1.6.27",
+ "version": "1.6.28",
"license": "GPL-2.0",
"repository": {
"type": "git",
diff --git a/readme.txt b/readme.txt
index a95b0d1..3b356ee 100644
--- a/readme.txt
+++ b/readme.txt
@@ -4,7 +4,7 @@ Tags: form builder, contact form, forms, form creator, custom form
Requires at least: 5.0
Requires PHP: 7.2.5
Tested up to: 6.9
-Stable tag: 1.6.27
+Stable tag: 1.6.28
License: GPLv2 or later
License URI: https://www.gnu.org/licenses/gpl-2.0.html
@@ -240,6 +240,12 @@ Please report security bugs found in the source code of the undefined plugin thr
== Changelog ==
+= Version 1.6.28 ( 27 February, 2026 ) =
+* Security: Patched stored XSS vulnerability in form entry fields.
+
+= Version 1.6.27 ( 09 February, 2026 ) =
+* Security: Patched object injection vulnerability.
+
= Version 1.6.26 ( 17 December, 2025 ) =
* Fix: Added extra validation for form uploads.
diff --git a/weforms.php b/weforms.php
index cf5eb81..dde519b 100644
--- a/weforms.php
+++ b/weforms.php
@@ -5,7 +5,7 @@
* Plugin URI: https://weformspro.com/
* Author: weForms
* Author URI: https://weformspro.com/
- * Version: 1.6.27
+ * Version: 1.6.28
* License: GPL2 or later
* License URI: https://www.gnu.org/licenses/gpl-2.0.html
* Text Domain: weforms
@@ -55,7 +55,7 @@ final class WeForms {
*
* @var string
*/
- public $version = '1.6.27';
+ public $version = '1.6.28';
/**
* Form field value seperator
' . $row_value . '
';
+ ' . esc_html( $row_value ) . '
';
foreach ( $field['grid_columns'] as $column_key => $column_value ) {
if ( isset( $new_val[ $row_key ] ) ) {
@@ -373,16 +373,15 @@ class="wpuf_' . $field['name'] . '_' . $this->form_id . '"
$value = implode( '', $serialized_value ); } } elseif ( $field['type'] == 'signature_field' ) { - $url = $value; - if ( isset( $_REQUEST['action'] ) != 'weforms_pdf_download' ) { - $url = content_url() . '/' . $value; + $url = esc_url( content_url() . '/' . $value ); $value = sprintf( '