Skip to main content

Redirection for Contact Form 7 CVE-2026-23970

| EUVDEUVD-2026-36909 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-06-15 Patchstack GHSA-rvgx-ff5x-9ggp
7.1
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
vuln.today AI
7.1 HIGH

Public form input reachable without auth (AV:N/PR:N), trivial to send (AC:L), victim must render page (UI:R), script crosses into browser context (S:C), typical XSS yields limited C/I/A.

3.1 AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
4.0 AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

1
Analysis Generated
Jun 15, 2026 - 22:44 vuln.today

DescriptionCVE.org

Unauthenticated Cross Site Scripting (XSS) in Redirection for Contact Form 7 <= 3.2.8 versions.

AnalysisAI

Reflected/stored cross-site scripting in the Redirection for Contact Form 7 WordPress plugin (versions ≤ 3.2.8) allows remote unauthenticated attackers to inject malicious scripts that execute in a victim's browser after user interaction. The flaw, reported by Patchstack and tracked as EUVD-2026-36909, carries a CVSS 3.1 base score of 7.1 with scope change due to script execution crossing the plugin/browser trust boundary. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.

Technical ContextAI

The Redirection for Contact Form 7 plugin (themeisle/wpcf7-redirect per CPE cpe:2.3:a:themeisle:redirection_for_contact_form_7) extends the popular Contact Form 7 WordPress plugin by adding post-submission redirect and action handling. The root cause is CWE-79 (Improper Neutralization of Input During Web Page Generation), meaning attacker-controlled input is rendered into HTML/JS contexts without adequate output encoding or sanitization. Because Contact Form 7 forms are exposed on public-facing pages, untrusted form-field or URL-parameter content can reach a context where it is interpreted as script by visiting browsers.

RemediationAI

Upstream fix available per Patchstack advisory; released patched version not independently confirmed in the supplied intelligence, so administrators should upgrade to the latest Themeisle Redirection for Contact Form 7 release published after the 3.2.8 advisory (consult https://patchstack.com/database/wordpress/plugin/wpcf7-redirect/vulnerability/wordpress-redirection-for-contact-form-7-plugin-3-2-8-cross-site-scripting-xss-vulnerability for the exact fixed version). If immediate patching is not possible, compensating controls include deactivating the Redirection for Contact Form 7 plugin (forms will lose post-submission redirect behavior), enforcing a strict Content-Security-Policy that disallows inline scripts on pages hosting Contact Form 7 (may break legitimate inline analytics or other plugins), and deploying a WordPress-aware WAF rule (e.g., Patchstack, Wordfence) to filter script-like payloads in form submissions - at the cost of occasional false positives on rich-text fields. Administrators should also review form submission logs and rotate session cookies for any account that may have viewed attacker-supplied content.

Share

CVE-2026-23970 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy