The vulnerability is a stored cross‑site scripting flaw that allows an attacker to inject malicious JavaScript into pages served by the Ajax Contact Form plugin. Once an attacker submits malicious content through the form, the script is persisted in the site database and executed whenever visitors load the impacted page. This can lead to session hijacking, credential theft, unauthorized actions performed on behalf of legitimate users, and defacement or content injection. The weakness is identified as CWE‑79, indicating improper input sanitization during web page generation.

The affected product is the Ajax Contact Form plugin developed by Olaf Lederer. Versions from the initial release through 1.4.1 contain the flaw; any installation of these or earlier versions is susceptible.

The CVSS score of 6.5 reflects a moderate severity with potential for significant impact if exploited. The EPSS score of less than 1% indicates low current exploitation probability, and the vulnerability is not listed in the CISA KEV catalog. Attacks would most likely be carried out by submitting crafted input via the form on a publicly accessible page, leveraging the stored data to deliver malicious scripts to end users. No special conditions beyond normal web interaction are required, making this vulnerability fairly easy to exploit in a suitable environment.