Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in scottwallick Easy Contact easy-contact allows Reflected XSS.This issue affects Easy Contact: from n/a through <= 0.1.2.
Published: 2025-04-15
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Easy Contact plugin for WordPress contains an Improper Neutralization of Input During Web Page Generation vulnerability, classified as CWE‑79. The flaw allows malicious input to be reflected back into the page without adequate sanitization, enabling attackers to inject arbitrary JavaScript into a victim’s browser. Such reflected XSS can lead to session hijacking, credential theft, or the delivery of phishing content to users of sites that use the plugin.

Affected Systems

The vulnerability affects the scottwallick Easy Contact WordPress plugin. All releases from its initial version up through 0.1.2 are impacted; any deployment that includes 0.1.2 or an earlier version is considered vulnerable.

Risk and Exploitability

With a CVSS score of 7.1, the potential impact is medium to high, and the EPSS score of less than 1 % indicates that widespread exploitation has not been observed yet. The likely attack vector is client‑side: an attacker can supply malicious input via query parameters or form fields that are reflected back into the page, without requiring authentication or server‑side code execution. The flaw is not listed in the CISA KEV catalog at present, but its moderate‑to‑high severity warrants attention if the plugin is in use.

Generated by OpenCVE AI on May 1, 2026 at 10:13 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Check the vendor’s website or the plugin repository for an updated version that addresses the XSS flaw and install it immediately.
  • If no update is available, remove or disable the Easy Contact plugin from the WordPress installation to eliminate the vulnerable code path.
  • Configure a web application firewall or deploy a content‑security policy that blocks XSS payloads directed at the plugin’s input endpoints.

Generated by OpenCVE AI on May 1, 2026 at 10:13 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-11104 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound Easy Contact allows Reflected XSS. This issue affects Easy Contact: from n/a through 0.1.2.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound Easy Contact allows Reflected XSS. This issue affects Easy Contact: from n/a through 0.1.2. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in scottwallick Easy Contact easy-contact allows Reflected XSS.This issue affects Easy Contact: from n/a through <= 0.1.2.
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 16 Apr 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 15 Apr 2025 22:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound Easy Contact allows Reflected XSS. This issue affects Easy Contact: from n/a through 0.1.2.
Title WordPress Easy Contact plugin <= 0.1.2 - Reflected Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:02.291Z

Reserved: 2025-03-26T09:22:27.937Z

Link: CVE-2025-30970

cve-icon Vulnrichment

Updated: 2025-04-16T14:11:45.368Z

cve-icon NVD

Status : Deferred

Published: 2025-04-15T22:15:26.827

Modified: 2026-04-23T15:27:25.503

Link: CVE-2025-30970

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T10:15:17Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')