An improper neutralization of input during web page generation in the WP Contact Form III plugin allows reflected XSS. The flaw lets an attacker inject malicious script that is immediately reflected back to the victim when form data is displayed. This can result in execution of arbitrary code in the victim’s browser, leading to session hijack, defacement, or further compromise of the site. The vulnerability is identified as CWE‑79. It receives a CVSS score of 7.1, indicating a high severity. The EPSS score is below 1%, suggesting a low exploitation probability at the time of this analysis. The issue is not yet listed in the CISA KEV catalog.

The WP Contact Form III plugin by KKWangen, with affected releases from the unspecified earliest version through 1.6.2d. Any installation using 1.6.2d or earlier is vulnerable.

The CVSS 7.1 score reflects the damage that could be caused if a victim visits a crafted URL or submits specially crafted form data. Because the attack requires a victim to load the page, the attack vector is likely web‑based, leveraging the front‑end contact form. The EPSS score of <1% indicates that active exploitation is currently unlikely, but the vulnerability remains publicly known and could be leveraged by an attacker with sufficient motivation. As the vulnerability is not listed in KEV, no known large‑scale exploit has yet been reported. Nevertheless, the high severity and potential impact on confidential authentication tokens or user sessions warrants timely remediation.