Impact
An unauthenticated cross‑site scripting vulnerability exists in the MW WP Form WordPress plugin versions up to 5.1.3, allowing attackers to inject arbitrary JavaScript into page content. Successful exploitation could lead to session hijacking, defacement, or the execution of malicious scripts in the context of site visitors. The weakness is a classic input validation flaw (CWE‑79).
Affected Systems
The affected product is the MW WP Form plugin developed by Takashi Kitajima, which runs within WordPress sites. Any deployment of this plugin version 5.1.3 or earlier is susceptible; no specific WordPress core version is required, and the issue is triggered by any user who can submit data through the form interface.
Risk and Exploitability
The CVSS score of 7.1 indicates a high severity, while the EPSS score of less than 1% suggests a low yet non‑zero probability of exploitation today. The vulnerability is not listed in the CISA KEV catalog. Because the flaw is unauthenticated and can be triggered via normal form submissions, the attack vector is likely through public-facing web forms that the plugin presents. An attacker could send malicious payloads without needing to authenticate, making this a potentially risky exposure for any site that remains on the vulnerable plugin version.
OpenCVE Enrichment