Skip to main content

MW WP Form CVE-2026-48871

| EUVDEUVD-2026-36849 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-06-15 Patchstack GHSA-59gh-qc25-r9fj
7.1
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
vuln.today AI
6.1 MEDIUM

Network-reachable WordPress plugin, no auth, but requires user interaction; XSS scope change yields limited C/I in another origin, with no realistic availability impact.

3.1 AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

1
Analysis Generated
Jun 15, 2026 - 21:48 vuln.today

DescriptionCVE.org

Unauthenticated Cross Site Scripting (XSS) in MW WP Form <= 5.1.3 versions.

AnalysisAI

Reflected or stored Cross-Site Scripting in the MW WP Form WordPress plugin (versions <= 5.1.3) allows remote unauthenticated attackers to inject arbitrary JavaScript that executes in a victim's browser when they interact with crafted plugin content. The CVSS vector (AV:N/AC:L/PR:N/UI:R/S:C) indicates network-reachable exploitation with no privileges but requiring user interaction, and the scope change reflects the cross-origin impact typical of XSS in browser contexts. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.

Technical ContextAI

MW WP Form is a third-party form-builder plugin for WordPress maintained by Takashi Kitajima (CPE: cpe:2.3:a:takashi_kitajima:mw_wp_form), used to create contact and inquiry forms on WordPress sites. The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation), meaning user-controllable input is rendered into HTML/JS output without adequate encoding or sanitization. In WordPress form plugins, this class of bug typically arises when submitted field values, query parameters, or admin-rendered form data are echoed into the page without using esc_html/esc_attr/wp_kses, allowing attacker-supplied markup to be interpreted by the browser.

RemediationAI

Patch available per vendor advisory - administrators should consult the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/mw-wp-form/vulnerability/wordpress-mw-wp-form-plugin-5-1-3-cross-site-scripting-xss-vulnerability for the fixed release and upgrade MW WP Form to the latest version above 5.1.3 via the WordPress plugin updater. If upgrading is not immediately possible, deactivate the MW WP Form plugin on public-facing sites (which will remove any forms it serves and break submission flows), or front the site with a WAF rule that blocks common XSS payloads on parameters handled by the plugin's endpoints, accepting the trade-off of potential false positives on legitimate rich-text submissions. Administrators with high-value sessions should also be advised to avoid clicking unfamiliar links targeting the affected WordPress instance until the upgrade is applied.

Share

CVE-2026-48871 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy