Contact Us By Lord Linus CVE-2025-25127
HIGHSeverity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
4DescriptionCVE.org
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Rohitashv Singhal Contact Us By Lord Linus allows Reflected XSS. This issue affects Contact Us By Lord Linus: from n/a through 2.6.
AnalysisAI
Reflected cross-site scripting (XSS) in the WordPress plugin 'Contact Us By Lord Linus' (versions up to 2.6) allows remote attackers to execute arbitrary JavaScript in victim browsers by crafting malicious URLs. Exploitation requires user interaction (clicking a link or visiting a crafted page), but no authentication is needed. CVSS 7.1 reflects scope change indicating potential session hijacking across security contexts. EPSS score of 0.15% (36th percentile) suggests low mass-exploitation probability, though XSS vulnerabilities in WordPress plugins remain attractive targets for phishing and account takeover campaigns.
Technical ContextAI
This is a classic reflected XSS vulnerability (CWE-79) affecting a WordPress contact form plugin. Reflected XSS occurs when user-supplied input is immediately returned in the HTTP response without proper sanitization or output encoding, allowing attackers to inject malicious JavaScript. The vulnerability affects 'Contact Us By Lord Linus' plugin versions from earliest available through 2.6. WordPress plugins frequently suffer from XSS when developers fail to sanitize GET/POST parameters or properly escape output using WordPress security functions like esc_html(), esc_url(), or wp_kses(). The 'S:C' (Scope Changed) metric in the CVSS vector indicates the vulnerability can affect resources beyond the vulnerable component's security scope, likely enabling attackers to compromise WordPress admin sessions or inject malicious content into site visitor browsers.
Affected ProductsAI
WordPress plugin 'Contact Us By Lord Linus' developed by Rohitashv Singhal, all versions from initial release through version 2.6 inclusive. The vulnerability was reported through Patchstack's WordPress security database (audit@patchstack.com). Affected installations include any WordPress site with this plugin active, regardless of WordPress core version. Full details available in the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/contact-us-by-lord-linus/vulnerability/wordpress-contact-us-by-lord-linus-plugin-2-6-reflected-cross-site-scripting-xss-vulnerability.
RemediationAI
No vendor-released patch identified at time of analysis for versions beyond 2.6. WordPress administrators should immediately check the official WordPress plugin repository for updated versions post-2.6 with security fixes. If no update exists, disable and deactivate the 'Contact Us By Lord Linus' plugin and replace with actively maintained alternatives such as Contact Form 7, WPForms, or Gravity Forms which have dedicated security teams. Temporary mitigation: implement Web Application Firewall (WAF) rules to sanitize query parameters and block common XSS payloads targeting the plugin's input fields, though this provides incomplete protection against encoded or obfuscated attacks. Consider restricting plugin access to authenticated users only via WordPress role management, though this limits legitimate contact form functionality. Security advisory and IOCs available at https://patchstack.com/database/wordpress/plugin/contact-us-by-lord-linus/vulnerability/wordpress-contact-us-by-lord-linus-plugin-2-6-reflected-cross-site-scripting-xss-vulnerability.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today