This vulnerability is a cross‑site request forgery flaw that allows a site visitor to submit form data that is stored by the Multilang Contact Form plugin without sanitization. The stored data can contain malicious script payloads, which will execute in the browsers of any users viewing the page that displays the submitted form. The impact is the possible compromise of confidentiality, integrity, and availability through injected JavaScript that can steal information or perform actions on behalf of the user when the content is rendered.

The issue affects the Digital Donkey Multilang Contact Form plugin for WordPress, versions up through and including 1.5. All WordPress sites that have installed any version of this plugin 1.5 or earlier are potentially vulnerable unless the plugin is removed or patched.

The CVSS score of 7.1 indicates high severity. The EPSS score of less than 1% suggests that exploitation is not likely in the near term, and the vulnerability is not listed in the CISA KEV catalog. Based on the description, the likely attack vector is a faulty CSRF pathway that must be activated by having an authenticated user visit a malicious page that triggers a forged form submission. Successful exploitation would grant an attacker the ability to persist malicious scripts that execute for all visitors of the affected pages.