Description
Contact Form to Email 1.3.24 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by creating forms with script tags in the form name field. Attackers can craft form names containing JavaScript code that executes when other logged-in users access the form management page, enabling session hijacking or credential theft.
Published: 2026-05-10
Score: 5.1 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw resides in the WordPress Contact Form to Email plugin version 1.3.24, where form names are stored in the database without sanitization, enabling an attacker who is authenticated to the WordPress site to embed JavaScript code in a form name. When any other logged‑in user accesses the form management page, the script executes in that user’s browser context, enabling theft of session cookies or other credential leakage. This is a classic stored XSS vulnerability identified as CWE‑79, and it provides an attacker with the same level of access as the victim user.

Affected Systems

The vulnerability affects installations of the Form2Email Contact Form to Email plugin for WordPress, specifically version 1.3.24. All sites that have not applied the 1.3.25 or later patch and still employ that plugin are at risk.

Risk and Exploitability

With a CVSS score of 5.1, the vulnerability falls into the moderate severity range. The exploit requires an attacker to be an authenticated WordPress user, but the attack is trivial once authenticated, as the attacker simply creates a malicious form name. EPSS information is not available, and the vulnerability is not listed in the CISA KEV catalog. Despite the moderate score, the potential for credential theft makes the risk meaningful for sites that rely on the plugin and have many administrators or staff users.

Generated by OpenCVE AI on May 10, 2026 at 14:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Form2Email Contact Form to Email plugin to the latest available version that removes the stored XSS flaw.
  • If an update cannot be performed immediately, remove the plugin from the site or replace it with a more secure alternative that does not allow unsanitized form names.
  • After removal or patch, review the site’s administrator accounts and consider tightening login controls to reduce the chance that an attacker can obtain an authenticated session.

Generated by OpenCVE AI on May 10, 2026 at 14:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 10 May 2026 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Form2email
Form2email contact Form To Email
Wordpress
Wordpress wordpress
Vendors & Products Form2email
Form2email contact Form To Email
Wordpress
Wordpress wordpress

Sun, 10 May 2026 13:00:00 +0000

Type Values Removed Values Added
Description Contact Form to Email 1.3.24 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by creating forms with script tags in the form name field. Attackers can craft form names containing JavaScript code that executes when other logged-in users access the form management page, enabling session hijacking or credential theft.
Title WordPress Contact Form to Email 1.3.24 Stored XSS
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

Form2email Contact Form To Email
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-10T12:43:48.243Z

Reserved: 2026-02-01T11:24:18.716Z

Link: CVE-2021-47926

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-10T13:16:28.573

Modified: 2026-05-10T13:16:28.573

Link: CVE-2021-47926

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-10T21:23:36Z

Weaknesses