Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Vault Group Pty Ltd VaultRE Contact Form 7 allows Stored XSS.This issue affects VaultRE Contact Form 7: from n/a through 1.0.
Published: 2025-03-27
Score: 5.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Improper neutralization of input during web page generation leads to stored cross‑site scripting (XSS) in VaultRE Contact Form 7. Any content entered through the contact form can be persisted and later rendered unescaped, allowing an attacker to inject arbitrary scripts into pages viewed by site visitors. The resulting impact includes session hijacking, phishing, and content spoofing, affecting the confidentiality and integrity of user interactions with the site.

Affected Systems

The vulnerability is present in the VaultRE Contact Form 7 plugin developed by Vault Group Pty Ltd. All installations running version 1.0 or earlier are affected. No specific build or patch levels are listed beyond the maximum affected version.

Risk and Exploitability

The CVSS score of 5.9 indicates a moderate severity. The EPSS score is below 1 %, implying a very low probability of an actively exploited incident at the time of assessment. The vulnerability is not listed in the CISA Known Exploit Vulnerabilities catalog. The likely attack pathway involves an attacker submitting a crafted message via the exposed form fields, which is stored and later rendered on the site without proper escaping. Because the vector requires input via a website page that is publicly accessible, an external attacker can easily reach it.

Generated by OpenCVE AI on May 1, 2026 at 03:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest release of VaultRE Contact Form 7 (version >1.0) or remove the plugin entirely if it is no longer required.
  • Remove any previously submitted content that may contain malicious scripts and perform a content audit across the site.
  • Ensure that all user input handled by the plugin is validated and sanitized per CWE‑79 best practices, such as escaping output with an appropriate HTML context.

Generated by OpenCVE AI on May 1, 2026 at 03:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-8530 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Vault Group Pty Ltd VaultRE Contact Form 7 allows Stored XSS.This issue affects VaultRE Contact Form 7: from n/a through 1.0.
History

Tue, 28 Apr 2026 19:45:00 +0000

Type Values Removed Values Added
References

Tue, 28 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Vault Group Pty Ltd VaultRE Contact Form 7 wp-plugin-contact-form-7 allows Stored XSS.This issue affects VaultRE Contact Form 7: from n/a through <= 1.0. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Vault Group Pty Ltd VaultRE Contact Form 7 allows Stored XSS.This issue affects VaultRE Contact Form 7: from n/a through 1.0.
References

Thu, 23 Apr 2026 15:30:00 +0000

Type Values Removed Values Added
References

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Vault Group Pty Ltd VaultRE Contact Form 7 allows Stored XSS.This issue affects VaultRE Contact Form 7: from n/a through 1.0. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Vault Group Pty Ltd VaultRE Contact Form 7 wp-plugin-contact-form-7 allows Stored XSS.This issue affects VaultRE Contact Form 7: from n/a through <= 1.0.
References

Fri, 28 Mar 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 27 Mar 2025 22:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Vault Group Pty Ltd VaultRE Contact Form 7 allows Stored XSS.This issue affects VaultRE Contact Form 7: from n/a through 1.0.
Title WordPress VaultRE Contact Form 7 plugin <= 1.0 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:05.327Z

Reserved: 2025-03-26T09:26:19.815Z

Link: CVE-2025-31101

cve-icon Vulnrichment

Updated: 2025-03-28T15:21:49.742Z

cve-icon NVD

Status : Deferred

Published: 2025-03-27T23:15:35.980

Modified: 2026-04-28T19:30:59.527

Link: CVE-2025-31101

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T03:45:07Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')