Description
The Simple Basic Contact Form WordPress plugin through 20250114 does not escape user-supplied input before reflecting it into the contact form output on validation errors, leading to a Reflected Cross-Site Scripting vulnerability that unauthenticated attackers can exploit against site visitors via a crafted link or cross-site form submission.
Published: 2026-06-23
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Simple Basic Contact Form WordPress plugin up through 20250114 fails to escape user‑supplied content that is reflected back to the browser during form validation failures. When an attacker submits a crafted value, the plugin outputs that value unchanged, allowing arbitrary scripts to execute in the context of any visitor who loads the error page or form. This vulnerability enables cross‑site scripting that can hijack sessions, steal credentials, or deface the site, depending on the attacker’s goal.

Affected Systems

WordPress sites that install the Simple Basic Contact Form plugin version 20250114 or earlier are affected. Any consumer of that plugin without an applied update to 20250115 or later remains vulnerable.

Risk and Exploitability

The issue can be triggered by an unauthenticated attacker through a crafted URL or form submission; no special credentials or elevated privileges are required. EPSS information is not available, and the vulnerability is not listed in CISA’s KEV catalog. Without a patch, the risk is purely the typical impact of reflected XSS, which can be high depending on the target site’s user base and the attacker’s objectives.

Generated by OpenCVE AI on June 23, 2026 at 07:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Simple Basic Contact Form plugin to version 20250115 or newer.
  • If an update is not immediately possible, disable the form’s error output that echoes user input or temporarily remove the plugin from the site.
  • Monitor site traffic for suspicious activity and verify that no malicious scripts are being injected.

Generated by OpenCVE AI on June 23, 2026 at 07:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 23 Jun 2026 07:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-79

Tue, 23 Jun 2026 06:45:00 +0000

Type Values Removed Values Added
Description The Simple Basic Contact Form WordPress plugin through 20250114 does not escape user-supplied input before reflecting it into the contact form output on validation errors, leading to a Reflected Cross-Site Scripting vulnerability that unauthenticated attackers can exploit against site visitors via a crafted link or cross-site form submission.
Title Simple Basic Contact Form <= 20250114 - Reflected XSS
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: WPScan

Published:

Updated: 2026-06-23T06:00:02.459Z

Reserved: 2026-05-08T13:53:27.370Z

Link: CVE-2026-8172

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-23T07:30:05Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')