CVE-2026-0753
HIGHCVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
Lifecycle Timeline
2Description
The Super Simple Contact Form plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'sscf_name' parameter in all versions up to, and including, 1.6.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
Analysis
Reflected XSS in the Super Simple Contact Form WordPress plugin through version 1.6.2 allows unauthenticated attackers to inject malicious scripts via the 'sscf_name' parameter due to inadequate input sanitization. An attacker can exploit this by tricking users into clicking a crafted link, causing arbitrary JavaScript to execute in their browsers and potentially leading to session hijacking or credential theft. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Identify all WordPress instances using Super Simple Contact Form plugin and document version numbers; disable the plugin if not critical to operations. Within 7 days: Contact the plugin vendor for patch availability and timeline; implement WAF rules to block malicious payloads in the 'sscf_name' parameter. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today