Skip to main content

Contact Form Entries CVE-2026-57708

| EUVDEUVD-2026-43362 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-07-13 Patchstack
7.1
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
vuln.today AI
6.1 MEDIUM

Network reflected XSS needs no privileges but requires the victim to click a link (UI:R); scope changes to the victim browser (S:C) with low C/I impact and no genuine availability impact.

3.1 AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

2
Analysis Generated
Jul 13, 2026 - 10:49 vuln.today
CVE Published
Jul 13, 2026 - 08:41 cve.org
HIGH 7.1

DescriptionCVE.org

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CRM Perks Contact Form Entries contact-form-entries allows Reflected XSS.This issue affects Contact Form Entries: from n/a through <= 1.5.2.

AnalysisAI

Reflected cross-site scripting in the CRM Perks "Contact Form Entries" WordPress plugin (versions up to and including 1.5.2) lets remote attackers inject script that executes in a victim's browser after the victim clicks a crafted link. Because the CVSS scope is changed (S:C), successful injection can reach data and actions beyond the vulnerable component, typically the WordPress admin/session context. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Craft URL with reflected XSS payload
Delivery
Lure admin to click crafted link
Exploit
Plugin echoes payload unescaped in response
Execution
Script executes in admin browser context
Impact
Hijack session / act as admin

Vulnerability AssessmentAI

Exploitation Exploitation requires the victim to actively click or load an attacker-crafted URL against a site running Contact Form Entries <= 1.5.2 (CVSS UI:R), so it is not autonomous - a social-engineering step is mandatory. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 base score is 7.1 (High) with vector AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L: network-reachable, low complexity, no privileges, but requiring user interaction, with a scope change and low impact to confidentiality, integrity, and availability. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker crafts a URL to the target WordPress site with a malicious script embedded in a parameter reflected by the Contact Form Entries plugin, then delivers it to a logged-in administrator via email or a link. When the admin opens the link, the script executes in their authenticated session, allowing session/cookie theft or admin actions on their behalf. …
Remediation No vendor-released patched version is identified from the available data (the record only states the flaw affects versions up to and including 1.5.2). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours, audit all WordPress installations for CRM Perks Contact Form Entries plugin version 1.5.2 or earlier and disable the plugin immediately. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-57708 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy