Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Network-delivered DOM XSS needing victim interaction (UI:R) and no attacker auth (PR:N); script escapes the component context (S:C) with limited C/I/A impact in the browser.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
2DescriptionCVE.org
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Aman CF7 Views – Complete Entry Management for Contact Form 7 cf7-views allows DOM-Based XSS.This issue affects CF7 Views – Complete Entry Management for Contact Form 7: from n/a through <= 3.2.2.
AnalysisAI
DOM-based cross-site scripting in the WordPress plugin CF7 Views - Complete Entry Management for Contact Form 7 (by Aman) affects all versions from an unspecified start through 3.2.2, letting a remote attacker who lures a user into interacting with a crafted link or page execute arbitrary JavaScript in that user's browser session. The flaw carries a CVSS 3.1 base score of 7.1 with a scope change (S:C), reflecting that script executes outside the vulnerable component's security context. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that the target site runs CF7 Views (cf7-views) version 3.2.2 or earlier and that a victim's browser reaches the plugin's vulnerable DOM rendering path - for example by visiting an attacker-supplied URL, fragment, or a page containing attacker-controlled entry data that the plugin's front-end JavaScript renders without sanitization. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L, score 7.1) indicates network-reachable, low-complexity exploitation requiring no privileges but mandating user interaction, with limited confidentiality, integrity, and availability impact amplified by a scope change. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker crafts a URL or a page containing a malicious script payload that the CF7 Views front-end JavaScript will process into a DOM sink, then delivers it to a logged-in site administrator or user via email, comment, or a link. When the victim opens the crafted content and the vulnerable view renders, the script executes in their browser, potentially stealing session cookies or performing actions in the WordPress context. … |
| Remediation | No vendor-released patch version is identified in the available data; the advisory records the vulnerable range as up to and including 3.2.2, so administrators should monitor the plugin page and the Patchstack advisory (https://patchstack.com/database/Wordpress/Plugin/cf7-views/vulnerability/wordpress-cf7-views-complete-entry-management-for-contact-form-7-plugin-3-2-2-cross-site-scripting-xss-vulnerability) and upgrade to any release above 3.2.2 as soon as one is published. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours, inventory all WordPress installations running CF7 Views plugin versions 3.2.2 and earlier and assess current deployments. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-43483