Skip to main content

Contact Us By Lord Linus CVE-2025-25127

HIGH
Cross-site Scripting (XSS) (CWE-79)
2025-03-03 audit@patchstack.com
7.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

4
Analysis Updated
Apr 25, 2026 - 01:20 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Apr 23, 2026 - 15:42 vuln.today
cvss_changed
Analysis Generated
Mar 28, 2026 - 18:29 vuln.today
CVE Published
Mar 03, 2025 - 14:15 nvd
HIGH 7.1

DescriptionCVE.org

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Rohitashv Singhal Contact Us By Lord Linus allows Reflected XSS. This issue affects Contact Us By Lord Linus: from n/a through 2.6.

AnalysisAI

Reflected cross-site scripting (XSS) in the WordPress plugin 'Contact Us By Lord Linus' (versions up to 2.6) allows remote attackers to execute arbitrary JavaScript in victim browsers by crafting malicious URLs. Exploitation requires user interaction (clicking a link or visiting a crafted page), but no authentication is needed. CVSS 7.1 reflects scope change indicating potential session hijacking across security contexts. EPSS score of 0.15% (36th percentile) suggests low mass-exploitation probability, though XSS vulnerabilities in WordPress plugins remain attractive targets for phishing and account takeover campaigns.

Technical ContextAI

This is a classic reflected XSS vulnerability (CWE-79) affecting a WordPress contact form plugin. Reflected XSS occurs when user-supplied input is immediately returned in the HTTP response without proper sanitization or output encoding, allowing attackers to inject malicious JavaScript. The vulnerability affects 'Contact Us By Lord Linus' plugin versions from earliest available through 2.6. WordPress plugins frequently suffer from XSS when developers fail to sanitize GET/POST parameters or properly escape output using WordPress security functions like esc_html(), esc_url(), or wp_kses(). The 'S:C' (Scope Changed) metric in the CVSS vector indicates the vulnerability can affect resources beyond the vulnerable component's security scope, likely enabling attackers to compromise WordPress admin sessions or inject malicious content into site visitor browsers.

Affected ProductsAI

WordPress plugin 'Contact Us By Lord Linus' developed by Rohitashv Singhal, all versions from initial release through version 2.6 inclusive. The vulnerability was reported through Patchstack's WordPress security database (audit@patchstack.com). Affected installations include any WordPress site with this plugin active, regardless of WordPress core version. Full details available in the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/contact-us-by-lord-linus/vulnerability/wordpress-contact-us-by-lord-linus-plugin-2-6-reflected-cross-site-scripting-xss-vulnerability.

RemediationAI

No vendor-released patch identified at time of analysis for versions beyond 2.6. WordPress administrators should immediately check the official WordPress plugin repository for updated versions post-2.6 with security fixes. If no update exists, disable and deactivate the 'Contact Us By Lord Linus' plugin and replace with actively maintained alternatives such as Contact Form 7, WPForms, or Gravity Forms which have dedicated security teams. Temporary mitigation: implement Web Application Firewall (WAF) rules to sanitize query parameters and block common XSS payloads targeting the plugin's input fields, though this provides incomplete protection against encoded or obfuscated attacks. Consider restricting plugin access to authenticated users only via WordPress role management, though this limits legitimate contact form functionality. Security advisory and IOCs available at https://patchstack.com/database/wordpress/plugin/contact-us-by-lord-linus/vulnerability/wordpress-contact-us-by-lord-linus-plugin-2-6-reflected-cross-site-scripting-xss-vulnerability.

Share

CVE-2025-25127 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy