Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Network-reachable WordPress plugin, no auth, but requires user interaction; XSS scope change yields limited C/I in another origin, with no realistic availability impact.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
1DescriptionCVE.org
Unauthenticated Cross Site Scripting (XSS) in MW WP Form <= 5.1.3 versions.
AnalysisAI
Reflected or stored Cross-Site Scripting in the MW WP Form WordPress plugin (versions <= 5.1.3) allows remote unauthenticated attackers to inject arbitrary JavaScript that executes in a victim's browser when they interact with crafted plugin content. The CVSS vector (AV:N/AC:L/PR:N/UI:R/S:C) indicates network-reachable exploitation with no privileges but requiring user interaction, and the scope change reflects the cross-origin impact typical of XSS in browser contexts. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.
Technical ContextAI
MW WP Form is a third-party form-builder plugin for WordPress maintained by Takashi Kitajima (CPE: cpe:2.3:a:takashi_kitajima:mw_wp_form), used to create contact and inquiry forms on WordPress sites. The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation), meaning user-controllable input is rendered into HTML/JS output without adequate encoding or sanitization. In WordPress form plugins, this class of bug typically arises when submitted field values, query parameters, or admin-rendered form data are echoed into the page without using esc_html/esc_attr/wp_kses, allowing attacker-supplied markup to be interpreted by the browser.
RemediationAI
Patch available per vendor advisory - administrators should consult the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/mw-wp-form/vulnerability/wordpress-mw-wp-form-plugin-5-1-3-cross-site-scripting-xss-vulnerability for the fixed release and upgrade MW WP Form to the latest version above 5.1.3 via the WordPress plugin updater. If upgrading is not immediately possible, deactivate the MW WP Form plugin on public-facing sites (which will remove any forms it serves and break submission flows), or front the site with a WAF rule that blocks common XSS payloads on parameters handled by the plugin's endpoints, accepting the trade-off of potential false positives on legitimate rich-text submissions. Administrators with high-value sessions should also be advised to avoid clicking unfamiliar links targeting the affected WordPress instance until the upgrade is applied.
More in Mw Wp Form
View allUnrestricted upload of file with dangerous type exists in MW WP Form versions v4.4.2 and earlier, which may allow a remo
Directory traversal vulnerability in MW WP Form versions v4.4.2 and earlier allows a remote unauthenticated attacker to
The MW WP Form plugin for WordPress is vulnerable to arbitrary file deletion in all versions up to, and including, 5.0.3
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in websoudan MW WP Fo
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-36849
GHSA-59gh-qc25-r9fj