Description
The Contact Us Page – Contact People plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘style’ parameter in all versions up to, and including, 3.7.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2025-06-13
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting
Action: Patch
AI Analysis

Impact

The CVE affects the Contact Us Page – Contact People WordPress plugin and allows a stored XSS vulnerability via the style parameter. Unsanitized input is stored and rendered in pages, letting an authenticated user with contributor or higher privileges inject arbitrary JavaScript. When any visitor loads the affected page, the attacker’s script runs with the visitor’s browser context, potentially capturing cookies, session data or executing further malicious actions.

Affected Systems

Vendors and products affected include a3rev’s Contact Us Page – Contact People plugin for WordPress. All versions up to and including 3.7.4 are vulnerable; the issue is not present in newer releases beyond that threshold.

Risk and Exploitability

The CVSS score of 6.4 indicates moderate severity, while an EPSS score below 1% suggests a low but nonzero exploitation probability. The vulnerability is not listed in CISA KEV. Exploitation requires the attacker to be authenticated as a contributor or higher, and the attack vector is through the plugin’s style parameter during normal use. Once compromised, the attacker can execute arbitrary scripts in the context of any user who views the injected page.

Generated by OpenCVE AI on April 20, 2026 at 22:33 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Contact Us Page – Contact People plugin to the latest version (3.7.5 or later).
  • If the plugin is no longer required, uninstall or disable it to remove the vulnerable surface.
  • Audit user role assignments and remove any unnecessary contributor accounts to reduce the risk of authenticated exploitation.
  • Consider enabling a web application firewall or a security plugin that hashes or sanitizes style attributes to prevent future cross‑site scripting attacks.

Generated by OpenCVE AI on April 20, 2026 at 22:33 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-18231 The Contact Us Page – Contact People plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘style’ parameter in all versions up to, and including, 3.7.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
History

Tue, 15 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.0003}

 epss

{'score': 0.00035}

Thu, 10 Jul 2025 01:00:00 +0000

Type Values Removed Values Added
First Time appeared A3rev
A3rev contact Us Page - Contact People
CPEs cpe:2.3:a:a3rev:contact_us_page_-_contact_people:*:*:*:*:*:wordpress:*:*
Vendors & Products A3rev
A3rev contact Us Page - Contact People

Fri, 13 Jun 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 13 Jun 2025 02:30:00 +0000

Type Values Removed Values Added
Description The Contact Us Page – Contact People plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘style’ parameter in all versions up to, and including, 3.7.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title Contact Us Page – Contact People <= 3.7.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via style Parameter
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

A3rev Contact Us Page - Contact People
Wordpress Contact Us Page - Contact People
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:27:55.526Z

Reserved: 2025-05-23T17:47:29.123Z

Link: CVE-2025-5123

cve-icon Vulnrichment

Updated: 2025-06-13T15:30:03.070Z

cve-icon NVD

Status : Analyzed

Published: 2025-06-13T03:15:51.853

Modified: 2025-07-10T00:38:57.290

Link: CVE-2025-5123

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T22:45:20Z

Weaknesses