The WPCRM – CRM for Contact form CF7 & WooCommerce plugin includes a path where user‑supplied input is not properly neutralized before being embedded in an HTML response. An attacker can supply crafted data through a form field or a manipulated URL, causing the plugin to echo the malicious payload back to the browser. This allows execution of JavaScript in the context of any visitor, potentially enabling credential theft, site defacement, or redirect attacks. The flaw is classified as CWE‑79, reflecting its nature as a reflected XSS vulnerability that impacts confidentiality, integrity, and availability of the affected WordPress site.

Affected installations are all WordPress sites that have the WPCRM plugin version 3.2.0 or earlier – that is, the vulnerability exists in every build from the earliest release up through 3.2.0. The vendor, mojoomla, lists this coverage and no higher‑version range is fixed, so any site using 3.2.0 remains at risk.

The CVSS score of 7.1 indicates a moderately high risk environment, but the EPSS value of less than 1% suggests that large‑scale exploitation has not yet been observed. Because the vulnerability is triggered by rendering user input into a page, the exploitation path requires that an attacker convince or trick a user to submit crafted data or visit a malicious URL. No privilege escalation or external system compromise is necessary – the attack successfully impacts any visitor to the vulnerable page. The vulnerability is not currently listed in CISA’s KEV catalog, but its severity warrants careful monitoring and mitigation.