Project:
Date:
2025-November-05
Vulnerability:
Cross-site Scripting
Affected versions:
<2.0.0
CVE IDs:
CVE-2025-12761
Description:
This module provides the ability to convert any entity form into a simple multi-step form.
The module doesn’t sufficiently filter certain user-provided text leading to a cross-site scripting (XSS) vulnerability.
This vulnerability is mitigated by the fact that an attacker must have a role with the permission “administer node form display”.
Solution:
Install the latest version:
- If you use the Simple multi step form module for Drupal, upgrade to a release from the 2.x branch, as the 8.x-1.x branch is now unsupported
Reported By:
Coordinated By:
- Greg Knaddison (greggles) of the Drupal Security Team
- Ivo Van Geertruyen (mr.baileys) of the Drupal Security Team
- Juraj Nemec (poker10) of the Drupal Security Team
