Impact
The Simple Basic Contact Form WordPress plugin, in versions up to and including 20250114, fails to escape user‑supplied content that is reflected back to visitors when a form submission triggers a validation error. This omission creates a client‑side Reflected Cross‑Site Scripting flaw, allowing an unauthenticated attacker to inject and execute arbitrary JavaScript that is delivered to the site visitor’s browser.
Affected Systems
Any WordPress site that has the Simple Basic Contact Form plugin installed in a version whose identifier is less than or equal to 20250114 is affected. Sites that have not applied the latest available update for the plugin remain vulnerable.
Risk and Exploitability
The flaw can be triggered by an unauthenticated attacker through a crafted URL or a cross‑site form submission; no special credentials are required. With a CVSS score of 7.1 the vulnerability is classified as high severity, while an EPSS score of less than 1 % indicates a low likelihood of exploitation at present. The flaw is not listed in CISA’s KEV catalog. In the absence of a patch, the risk consists of the typical impact of reflected XSS, including defacement, credential theft, or drive‑by downloads.
OpenCVE Enrichment