Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in codepeople Contact Form Email contact-form-to-email allows Stored XSS.This issue affects Contact Form Email: from n/a through <= 1.3.52.
Published: 2025-01-24
Score: 5.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an improper neutralization of input that enables stored cross‑site scripting. An attacker can inject malicious script content, which will be executed in the context of a victim’s browser when the affected page is loaded. The attack does not provide direct code execution on the server, but it can compromise confidentiality, integrity, and availability of user sessions, and facilitate credential theft or further attacks against the site and its users.

Affected Systems

The plugin Contact Form Email from codepeople is affected for all versions from the earliest available up through 1.3.52. Any WordPress installation that has this plugin installed and has not been updated to a newer version is at risk.

Risk and Exploitability

The CVSS score of 5.9 indicates moderate risk. The EPSS score of < 1% suggests a low probability of exploitation, and the vulnerability is not listed in CISA’s KEV catalog. The attack vector is likely local (the attacker must craft a form submission that is stored by the plugin), requiring the victim to load a page that displays the stored data. Without a user interaction that triggers the page load, the exploit does not automatically propagate. The weakness is CWE‑79, a common input validation flaw.

Generated by OpenCVE AI on May 2, 2026 at 05:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Contact Form Email to version 1.3.53 or later
  • Configure the plugin or server to escape or sanitize stored form content before rendering it on web pages
  • Enable a web application firewall (WAF) rule set that detects and blocks common XSS patterns in form submissions

Generated by OpenCVE AI on May 2, 2026 at 05:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-3919 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CodePeople Contact Form Email allows Stored XSS. This issue affects Contact Form Email: from n/a through 1.3.52.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 4.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N'}

 cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CodePeople Contact Form Email allows Stored XSS. This issue affects Contact Form Email: from n/a through 1.3.52. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in codepeople Contact Form Email contact-form-to-email allows Stored XSS.This issue affects Contact Form Email: from n/a through <= 1.3.52.
First Time appeared Codepeople
Codepeople contact Form Email
CPEs cpe:2.3:a:codepeople:contact_form_email:*:*:*:*:*:wordpress:*:*
Vendors & Products Codepeople
Codepeople contact Form Email
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L'}

 cvssV3_1

{'score': 4.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N'}

Fri, 24 Jan 2025 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 24 Jan 2025 17:30:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CodePeople Contact Form Email allows Stored XSS. This issue affects Contact Form Email: from n/a through 1.3.52.
Title WordPress Contact Form to Email Plugin <= 1.3.52 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Codepeople Contact Form Email
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:33.504Z

Reserved: 2025-01-23T14:52:44.768Z

Link: CVE-2025-24727

cve-icon Vulnrichment

Updated: 2025-01-24T18:36:54.585Z

cve-icon NVD

Status : Modified

Published: 2025-01-24T18:15:46.707

Modified: 2026-04-23T15:25:22.660

Link: CVE-2025-24727

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T05:30:26Z

Weaknesses