Description
The Simple Basic Contact Form WordPress plugin through 20250114 does not escape user-supplied input before reflecting it into the contact form output on validation errors, leading to a Reflected Cross-Site Scripting vulnerability that unauthenticated attackers can exploit against site visitors via a crafted link or cross-site form submission.
Published: 2026-06-23
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Simple Basic Contact Form WordPress plugin, in versions up to and including 20250114, fails to escape user‑supplied content that is reflected back to visitors when a form submission triggers a validation error. This omission creates a client‑side Reflected Cross‑Site Scripting flaw, allowing an unauthenticated attacker to inject and execute arbitrary JavaScript that is delivered to the site visitor’s browser.

Affected Systems

Any WordPress site that has the Simple Basic Contact Form plugin installed in a version whose identifier is less than or equal to 20250114 is affected. Sites that have not applied the latest available update for the plugin remain vulnerable.

Risk and Exploitability

The flaw can be triggered by an unauthenticated attacker through a crafted URL or a cross‑site form submission; no special credentials are required. With a CVSS score of 7.1 the vulnerability is classified as high severity, while an EPSS score of less than 1 % indicates a low likelihood of exploitation at present. The flaw is not listed in CISA’s KEV catalog. In the absence of a patch, the risk consists of the typical impact of reflected XSS, including defacement, credential theft, or drive‑by downloads.

Generated by OpenCVE AI on June 24, 2026 at 15:33 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Simple Basic Contact Form plugin to the latest version available from the vendor.
  • Temporarily disable the form’s error handling that echoes user input or remove the plugin entirely until a patch is applied.
  • Monitor site traffic and error logs for injected scripts or suspicious activity.

Generated by OpenCVE AI on June 24, 2026 at 15:33 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 24 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Wpkube
Wpkube simple Basic Contact Form
Vendors & Products Wordpress
Wordpress wordpress
Wpkube
Wpkube simple Basic Contact Form

Wed, 24 Jun 2026 16:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-79

Wed, 24 Jun 2026 14:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-79

Wed, 24 Jun 2026 10:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-79

Wed, 24 Jun 2026 07:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-79

Wed, 24 Jun 2026 03:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-79

Wed, 24 Jun 2026 00:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-79

Tue, 23 Jun 2026 21:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-79

Tue, 23 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-79

Tue, 23 Jun 2026 17:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-79

Tue, 23 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-79

Tue, 23 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Tue, 23 Jun 2026 07:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-79

Tue, 23 Jun 2026 06:45:00 +0000

Type Values Removed Values Added
Description The Simple Basic Contact Form WordPress plugin through 20250114 does not escape user-supplied input before reflecting it into the contact form output on validation errors, leading to a Reflected Cross-Site Scripting vulnerability that unauthenticated attackers can exploit against site visitors via a crafted link or cross-site form submission.
Title Simple Basic Contact Form <= 20250114 - Reflected XSS
References

Subscriptions

Wordpress Wordpress
Wpkube Simple Basic Contact Form
cve-icon MITRE

Status: PUBLISHED

Assigner: WPScan

Published:

Updated: 2026-06-23T12:27:37.658Z

Reserved: 2026-05-08T13:53:27.370Z

Link: CVE-2026-8172

cve-icon Vulnrichment

Updated: 2026-06-23T12:27:24.643Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T16:06:27Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')