Skip to main content

FormyChat CVE-2026-57379

| EUVDEUVD-2026-43454 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-07-13 Patchstack
7.1
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
vuln.today AI
7.1 HIGH

Unauthenticated network injection with low complexity (PR:N/AC:L), but execution needs a victim to view the stored payload (UI:R) and crosses into the browser context (S:C) with limited C/I/A.

3.1 AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
4.0 AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

2
Analysis Generated
Jul 13, 2026 - 11:05 vuln.today
CVE Published
Jul 13, 2026 - 08:41 cve.org
HIGH 7.1

DescriptionCVE.org

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPPOOL FormyChat social-contact-form allows Stored XSS.This issue affects FormyChat: from n/a through <= 2.15.3.

AnalysisAI

Stored cross-site scripting in the WPPOOL FormyChat (social-contact-form) WordPress plugin, versions up to and including 2.15.3, lets remote attackers inject persistent JavaScript that executes in the browser of anyone who later views the affected page. Reported by Patchstack (CVSS 7.1), the scope-changing flaw can be abused to hijack sessions, deface content, or pivot toward WordPress administrator accounts. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Locate FormyChat form on target site
Delivery
Submit input with stored XSS payload
Exploit
Payload persisted by plugin
Execution
Victim/admin views affected page
Persist
Script executes in victim browser
Impact
Session hijack or admin action

Vulnerability AssessmentAI

Exploitation Exploitation requires the FormyChat (social-contact-form) plugin to be installed and active at version 2.15.3 or earlier, and requires an attacker to reach an input that the plugin stores and later renders without neutralization (CWE-79). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L, base 7.1 High) describes a network-reachable, low-complexity, unauthenticated attack that requires victim interaction (a user or admin loading the page holding the stored payload) and yields limited confidentiality, integrity, and availability impact across a changed scope - the classic stored-XSS profile. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker submits a crafted entry (for example through a FormyChat contact/chat field or an input that FormyChat later renders) containing a malicious <script> or event-handler payload, which the plugin stores without proper sanitization. When a site administrator or visitor subsequently opens the page or admin screen that renders that stored value, the JavaScript executes in their browser under the site's origin, enabling session/cookie theft or actions on the victim's behalf. …
Remediation Upgrade FormyChat to a release later than 2.15.3 (i.e. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours, immediately deactivate and remove the WPPOOL FormyChat plugin from all WordPress instances, and deploy an alternative form solution (Gravity Forms, WPForms, or Contact Form 7 with current security updates). …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-57379 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy