Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Public form input reachable without auth (AV:N/PR:N), trivial to send (AC:L), victim must render page (UI:R), script crosses into browser context (S:C), typical XSS yields limited C/I/A.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
1DescriptionCVE.org
Unauthenticated Cross Site Scripting (XSS) in Redirection for Contact Form 7 <= 3.2.8 versions.
AnalysisAI
Reflected/stored cross-site scripting in the Redirection for Contact Form 7 WordPress plugin (versions ≤ 3.2.8) allows remote unauthenticated attackers to inject malicious scripts that execute in a victim's browser after user interaction. The flaw, reported by Patchstack and tracked as EUVD-2026-36909, carries a CVSS 3.1 base score of 7.1 with scope change due to script execution crossing the plugin/browser trust boundary. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Technical ContextAI
The Redirection for Contact Form 7 plugin (themeisle/wpcf7-redirect per CPE cpe:2.3:a:themeisle:redirection_for_contact_form_7) extends the popular Contact Form 7 WordPress plugin by adding post-submission redirect and action handling. The root cause is CWE-79 (Improper Neutralization of Input During Web Page Generation), meaning attacker-controlled input is rendered into HTML/JS contexts without adequate output encoding or sanitization. Because Contact Form 7 forms are exposed on public-facing pages, untrusted form-field or URL-parameter content can reach a context where it is interpreted as script by visiting browsers.
RemediationAI
Upstream fix available per Patchstack advisory; released patched version not independently confirmed in the supplied intelligence, so administrators should upgrade to the latest Themeisle Redirection for Contact Form 7 release published after the 3.2.8 advisory (consult https://patchstack.com/database/wordpress/plugin/wpcf7-redirect/vulnerability/wordpress-redirection-for-contact-form-7-plugin-3-2-8-cross-site-scripting-xss-vulnerability for the exact fixed version). If immediate patching is not possible, compensating controls include deactivating the Redirection for Contact Form 7 plugin (forms will lose post-submission redirect behavior), enforcing a strict Content-Security-Policy that disallows inline scripts on pages hosting Contact Form 7 (may break legitimate inline analytics or other plugins), and deploying a WordPress-aware WAF rule (e.g., Patchstack, Wordfence) to filter script-like payloads in form submissions - at the cost of occasional false positives on rich-text fields. Administrators should also review form submission logs and rotate session cookies for any account that may have viewed attacker-supplied content.
In the Redirection for Contact Form 7 WordPress plugin before 2.3.4, any authenticated user, such as a subscriber, could
In the Redirection for Contact Form 7 WordPress plugin before 2.3.4, unauthenticated users can use the wpcf7r_get_nonce
In the Redirection for Contact Form 7 WordPress plugin before 2.3.4, low level users, such as subscribers, could use the
In the Redirection for Contact Form 7 WordPress plugin before 2.3.4, any authenticated user, such as a subscriber, could
The Redirection for Contact Form 7 WordPress plugin before 2.5.0 does not escape a link generated before outputting it i
In the Redirection for Contact Form 7 WordPress plugin before 2.3.4, any authenticated user, such as a subscriber, could
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-36909
GHSA-rvgx-ff5x-9ggp