The vulnerability is a reflected XSS flaw in the Super Simple Contact Form WordPress plugin caused by the lack of sanitization of the 'sscf_name' query parameter. Because the plugin echoes the parameter unsafely, an unauthenticated attacker can embed malicious scripts that will run in the victim's browser when a crafted URL is clicked. This gives an attacker the ability to execute arbitrary client‑side code, potentially leading to session hijacking, defacement, or phishing, and generally undermining the integrity and confidentiality of the affected site.

The affected product is the WordPress plugin Super Simple Contact Form by bitacre, versions up through and including 1.6.2. Any site running these versions is vulnerable; newer releases beyond 1.6.2 are not mentioned as affected.

The CVSS score of 7.2 classifies this as high severity. The EPSS score is below 1%, suggesting a low probability of widespread exploitation at the time of analysis. The vulnerability is not listed in the CISA KEV catalog, indicating no confirmed or widespread exploitation reports. Likely attack vectors would involve phishing links that prompt the victim to click a URL containing a malicious payload. Because the flaw is client‑side, no attacker‑side server compromise is required to exploit it, and authentication is not needed. The impact is limited to the browser context of the victim.