EUVD-2026-38418
GHSA-x74w-29rh-ccvr
Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Reflected XSS reachable over the network without auth (PR:N) but requires victim click (UI:R); scope changes to browser, yielding limited C/I/A impact.
Primary rating from Vendor (WPScan).
CVSS VectorVendor: WPScan
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
4DescriptionCVE.org
The Simple Basic Contact Form WordPress plugin through 20250114 does not escape user-supplied input before reflecting it into the contact form output on validation errors, leading to a Reflected Cross-Site Scripting vulnerability that unauthenticated attackers can exploit against site visitors via a crafted link or cross-site form submission.
AnalysisAI
Reflected cross-site scripting in the Simple Basic Contact Form WordPress plugin (all versions through 20250114) allows unauthenticated remote attackers to execute arbitrary JavaScript in a visitor's browser when the victim follows a crafted link or submits a cross-site forged form that triggers a validation error. Publicly available exploit details have been published by WPScan, though the issue is not listed in CISA KEV and no EPSS data is provided in the input.
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires (1) the target WordPress site to have the Simple Basic Contact Form plugin installed and active at version ≤20250114, (2) the vulnerable contact form to be reachable on a public page so the validation-error code path can be triggered, and (3) a victim with a browser to either click an attacker-crafted link or submit a cross-site forged POST (UI:R), since reflected XSS does not fire without victim interaction. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L, 7.1 High) is consistent with a reflected XSS: network reachable, no privileges, but user interaction required, with scope change reflecting browser-side impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker crafts a URL or an external HTML form that submits to the plugin's contact form endpoint with invalid input plus a JavaScript payload in one of the reflected fields, then lures a victim (e.g., a site administrator) to click the link via phishing or a malicious comment. The validation-error page reflects the payload unescaped, executing the attacker's JavaScript under the site's origin and enabling session theft, admin action forgery, or drive-by redirection; a public WPScan PoC documents the exact parameter and payload format. |
| Remediation | No vendor-released patched version is identified in the supplied data - the WPScan advisory lists the plugin as vulnerable through 20250114 with no fixed release cited, so treat this as 'No vendor-released patch identified at time of analysis' and monitor https://wpscan.com/vulnerability/535ec1a1-b822-43c9-8264-6442199493d3/ for a fixed build. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: disable the Simple Basic Contact Form plugin and identify an alternative contact form solution; review web server logs for exploitation attempts. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Share
External POC / Exploit Code
Leaving vuln.today