Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Network reflected XSS needs no privileges but requires the victim to click a link (UI:R); scope changes to the victim browser (S:C) with low C/I impact and no genuine availability impact.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
2DescriptionCVE.org
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CRM Perks Contact Form Entries contact-form-entries allows Reflected XSS.This issue affects Contact Form Entries: from n/a through <= 1.5.2.
AnalysisAI
Reflected cross-site scripting in the CRM Perks "Contact Form Entries" WordPress plugin (versions up to and including 1.5.2) lets remote attackers inject script that executes in a victim's browser after the victim clicks a crafted link. Because the CVSS scope is changed (S:C), successful injection can reach data and actions beyond the vulnerable component, typically the WordPress admin/session context. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the victim to actively click or load an attacker-crafted URL against a site running Contact Form Entries <= 1.5.2 (CVSS UI:R), so it is not autonomous - a social-engineering step is mandatory. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 base score is 7.1 (High) with vector AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L: network-reachable, low complexity, no privileges, but requiring user interaction, with a scope change and low impact to confidentiality, integrity, and availability. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker crafts a URL to the target WordPress site with a malicious script embedded in a parameter reflected by the Contact Form Entries plugin, then delivers it to a logged-in administrator via email or a link. When the admin opens the link, the script executes in their authenticated session, allowing session/cookie theft or admin actions on their behalf. … |
| Remediation | No vendor-released patched version is identified from the available data (the record only states the flaw affects versions up to and including 1.5.2). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours, audit all WordPress installations for CRM Perks Contact Form Entries plugin version 1.5.2 or earlier and disable the plugin immediately. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-43362