Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Unauthenticated reflected/stored XSS reachable over the network with no privileges, requires victim click (UI:R), and script execution in admin origin causes scope change with limited CIA impact.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
1DescriptionCVE.org
Unauthenticated Cross Site Scripting (XSS) in Contact Form to Any API <= 3.0.3 versions.
AnalysisAI
Unauthenticated reflected/stored cross-site scripting in the WordPress plugin Contact Form to Any API through version 3.0.3 allows remote attackers to inject arbitrary JavaScript that executes in a victim's browser when they interact with a crafted link or page. The flaw requires user interaction (UI:R) and changes scope (S:C), meaning injected script can affect resources beyond the vulnerable component, typically the WordPress admin session. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Technical ContextAI
Contact Form to Any API is a WordPress plugin by IT Path Solutions (CPE cpe:2.3:a:it_path_solutions:contact_form_to_any_api) that forwards form submissions to arbitrary third-party APIs. The vulnerability is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation), meaning user-controllable input is rendered into HTML output without adequate encoding or sanitization. Because the CVSS vector marks PR:N, the injection sink is reachable by unauthenticated visitors - likely via form-submission or display parameters that the plugin echoes back into a page consumed by a privileged user, producing a scope change (S:C) when the script runs in the admin's browser context.
RemediationAI
Patch status: patch available per vendor advisory - upgrade Contact Form to Any API to the next release above 3.0.3 as published by IT Path Solutions on the WordPress.org plugin repository; the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/contact-form-to-any-api/vulnerability/wordpress-contact-form-to-any-api-plugin-3-0-3-cross-site-scripting-xss-vulnerability should be consulted for the exact fixed version once published. If immediate upgrade is not possible, deactivate and remove the plugin (trade-off: any contact-form-to-API integrations break) or place the site behind a WAF such as Patchstack, Wordfence, or Cloudflare with rules that strip <script> tags and event-handler attributes from request parameters bound to the plugin's endpoints (trade-off: may break legitimate rich-text submissions). Enforce strong Content-Security-Policy headers disallowing inline script as a secondary defense, and require admins to log into WordPress from a separate browser profile to reduce the value of a successful XSS hit against an admin session.
More in Contact Form To Any Api
View allImproper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in IT Path Solutions
The Contact Form to Any API plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Contact Form 7 form fi
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-36928
GHSA-xgpc-pf53-8726