CVE-2026-8853 - Vulnerability Details

Description

The MW WP Form plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'memo' parameter in all versions up to, and including, 5.1.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with editor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Because the memo value is stored via update_post_meta() rather than wp_insert_post(), WordPress's built-in kses and unfiltered_html protections do not apply, allowing attackers to break out of the textarea element via injected closing tags regardless of role-based content filtering.

Published: 2026-06-10

Score: 4.4 Medium

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

The MW WP Form plugin for WordPress contains a stored cross‑site scripting vulnerability in the 'memo' field for all versions up to and including 5.1.3. The memo value is persisted with the WordPress function update_post_meta, which bypasses WordPress’s built‑in KSES sanitization and unfiltered_html protections. As a result, an authenticated attacker with editor‑level or higher access can inject arbitrary JavaScript that is stored as part of the memo and will execute whenever any user views the page containing that memo. This flaw is the result of insufficient input sanitization and output escaping as specified in the description.

Affected Systems

The vulnerability affects installations of the MW WP Form plugin by websoudan, specifically all versions 5.1.3 and earlier. Sites that have deployed these versions and granted editor‑level or higher permissions to users are susceptible.

Risk and Exploitability

The CVSS score of 4.4 indicates moderate severity. EPSS data are not available, so the current likelihood of exploitation is unknown. The issue is not listed in the CISA KEV catalog. Because the flaw requires authenticated editor privileges, it cannot be exploited by an unauthenticated attacker, yet once the memo is compromised all users who access the affected page will run the injected script. The impact is confined to the site’s audience and depends on the quantity of users who view the memo field.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

websoudan

MW WP Form

unaffected

Version	Status	Constraints
`0`	affected	≤ 5.1.3

No data.

Vendor Product Confidence Versions

Web-soudan

Mw Wp Form

98%

Version	Status	Scheme	Platform
`[0,5.1.3]`	affected	generic	—

Wordpress

80%

Version	Status	Scheme	Platform
`—`	unaffected	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the MW WP Form plugin to version 5.1.4 or later, which removes the unfiltered memo handling and restores WordPress’s normal sanitization.
If the plugin cannot be updated immediately, reduce or revoke editor‑level permissions for users who do not need to edit memo fields.
Implement server‑side sanitization on the memo field, stripping dangerous tags or escaping content, or replace the storage method with WordPress’s standard content functions that apply proper filtering.

Generated by OpenCVE AI on June 10, 2026 at 09:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required High

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://plugins.trac.wordpress.org/browser/mw-wp-form/tags/5.1.0/classes/controllers/class.contact-data.php#L134
https://plugins.trac.wordpress.org/browser/mw-wp-form/tags/5.1.0/templates/contact-data/detail.php#L77
https://plugins.trac.wordpress.org/browser/mw-wp-form/tags/5.1.3/classes/controllers/class.contact-data.php#L134
https://plugins.trac.wordpress.org/browser/mw-wp-form/tags/5.1.3/templates/contact-data/detail.php#L77
https://plugins.trac.wordpress.org/changeset?old_path=mw-wp-form/tags/5.1.3&new_path=mw-wp-form/tags/5.1.4
https://www.wordfence.com/threat-intel/vulnerabilities/id/2a6dfdec-c1c6-4300-ab0a-9fd1c550d09f?source=cve

History

Wed, 10 Jun 2026 10:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Web-soudan Web-soudan mw Wp Form Wordpress Wordpress wordpress
Vendors & Products		Web-soudan Web-soudan mw Wp Form Wordpress Wordpress wordpress

Wed, 10 Jun 2026 08:15:00 +0000

Type	Values Removed	Values Added
Description		The MW WP Form plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'memo' parameter in all versions up to, and including, 5.1.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with editor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Because the memo value is stored via update_post_meta() rather than wp_insert_post(), WordPress's built-in kses and unfiltered_html protections do not apply, allowing attackers to break out of the textarea element via injected closing tags regardless of role-based content filtering.
Title		MW WP Form <= 5.1.3 - Authenticated (Editor+) Stored Cross-Site Scripting via 'memo' Parameter
Weaknesses		CWE-79
References		https://plugins.trac.wordpress.org/browser/mw-wp-form/tags/5.1.0/classes/controllers/class.contact-data.php#L134 https://plugins.trac.wordpress.org/browser/mw-wp-form/tags/5.1.0/templates/contact-data/detail.php#L77 https://plugins.trac.wordpress.org/browser/mw-wp-form/tags/5.1.3/classes/controllers/class.contact-data.php#L134 https://plugins.trac.wordpress.org/browser/mw-wp-form/tags/5.1.3/templates/contact-data/detail.php#L77 https://plugins.trac.wordpress.org/changeset?old_path=mw-wp-form/tags/5.1.3&new_path=mw-wp-form/tags/5.1.4 https://www.wordfence.com/threat-intel/vulnerabilities/id/2a6dfdec-c1c6-4300-ab0a-9fd1c550d09f?source=cve
Metrics		cvssV3_1 `{'score': 4.4, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N'}`

Subscriptions

Web-soudan Mw Wp Form

Wordpress Wordpress

MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2026-06-10T07:50:55.322Z

Updated: 2026-06-10T07:50:55.322Z

Reserved: 2026-05-18T16:14:39.011Z

Link: CVE-2026-8853

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-06-10T08:16:25.807

Modified: 2026-06-10T08:16:25.807

Link: CVE-2026-8853

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-10T10:00:14Z

Weaknesses

CWE-79

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity High

Privileges Required High

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object