Skip to main content

CF7 Views CVE-2026-57411

| EUVDEUVD-2026-43483 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-07-13 Patchstack
7.1
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
vuln.today AI
7.1 HIGH

Network-delivered DOM XSS needing victim interaction (UI:R) and no attacker auth (PR:N); script escapes the component context (S:C) with limited C/I/A impact in the browser.

3.1 AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
4.0 AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

2
Analysis Generated
Jul 13, 2026 - 10:56 vuln.today
CVE Published
Jul 13, 2026 - 08:41 cve.org
HIGH 7.1

DescriptionCVE.org

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Aman CF7 Views &#8211; Complete Entry Management for Contact Form 7 cf7-views allows DOM-Based XSS.This issue affects CF7 Views &#8211; Complete Entry Management for Contact Form 7: from n/a through <= 3.2.2.

AnalysisAI

DOM-based cross-site scripting in the WordPress plugin CF7 Views - Complete Entry Management for Contact Form 7 (by Aman) affects all versions from an unspecified start through 3.2.2, letting a remote attacker who lures a user into interacting with a crafted link or page execute arbitrary JavaScript in that user's browser session. The flaw carries a CVSS 3.1 base score of 7.1 with a scope change (S:C), reflecting that script executes outside the vulnerable component's security context. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Craft malicious DOM XSS payload
Delivery
Deliver crafted link to victim
Exploit
Victim opens vulnerable CF7 Views page
Execution
Script executes in victim browser
Impact
Hijack session or act as user

Vulnerability AssessmentAI

Exploitation Exploitation requires that the target site runs CF7 Views (cf7-views) version 3.2.2 or earlier and that a victim's browser reaches the plugin's vulnerable DOM rendering path - for example by visiting an attacker-supplied URL, fragment, or a page containing attacker-controlled entry data that the plugin's front-end JavaScript renders without sanitization. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L, score 7.1) indicates network-reachable, low-complexity exploitation requiring no privileges but mandating user interaction, with limited confidentiality, integrity, and availability impact amplified by a scope change. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker crafts a URL or a page containing a malicious script payload that the CF7 Views front-end JavaScript will process into a DOM sink, then delivers it to a logged-in site administrator or user via email, comment, or a link. When the victim opens the crafted content and the vulnerable view renders, the script executes in their browser, potentially stealing session cookies or performing actions in the WordPress context. …
Remediation No vendor-released patch version is identified in the available data; the advisory records the vulnerable range as up to and including 3.2.2, so administrators should monitor the plugin page and the Patchstack advisory (https://patchstack.com/database/Wordpress/Plugin/cf7-views/vulnerability/wordpress-cf7-views-complete-entry-management-for-contact-form-7-plugin-3-2-2-cross-site-scripting-xss-vulnerability) and upgrade to any release above 3.2.2 as soon as one is published. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours, inventory all WordPress installations running CF7 Views plugin versions 3.2.2 and earlier and assess current deployments. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-57411 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy