Skip to main content

CformsII EUVDEUVD-2026-36925

| CVE-2026-39435 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-06-15 Patchstack GHSA-qpmw-qc78-jhmg
7.1
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
vuln.today AI
7.1 HIGH

Network-reachable unauthenticated XSS requiring victim interaction; script executes in WordPress origin (scope change) with limited C/I/A impact typical of reflected/stored XSS.

3.1 AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
4.0 AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

1
Analysis Generated
Jun 15, 2026 - 22:34 vuln.today

DescriptionCVE.org

Unauthenticated Cross Site Scripting (XSS) in CformsII <= 15.1.3 versions.

AnalysisAI

Stored/reflected cross-site scripting in the CformsII WordPress plugin (versions ≤ 15.1.3) allows unauthenticated remote attackers to inject malicious JavaScript that executes in a victim's browser when the crafted content is rendered, enabling session hijacking, credential theft, or actions on behalf of authenticated users including administrators. The flaw was reported by Patchstack and carries a CVSS 3.1 score of 7.1 (UI:R, scope-changed). No public exploit identified at time of analysis and EPSS data was not provided.

Technical ContextAI

CformsII (cpe:2.3:a:bgermann:cformsii) is a WordPress form-builder plugin used to create contact and feedback forms. The root cause is CWE-79 (Improper Neutralization of Input During Web Page Generation), meaning user-supplied input - likely passed through a form field, parameter, or shortcode handler - is rendered back into HTML/JavaScript context without proper output encoding or input sanitization. Because WordPress plugins render content inside the same origin as the admin dashboard, an XSS payload that fires for a logged-in administrator can escalate to full site compromise via plugin/theme editing or arbitrary PHP execution.

RemediationAI

No vendor-released patch identified at time of analysis - the Patchstack advisory and NVD entry list 15.1.3 as the highest known-vulnerable version with no fixed version published, so administrators should upgrade to a version newer than 15.1.3 once released by the maintainer (monitor the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/cforms2/vulnerability/wordpress-cformsii-plugin-15-1-3-cross-site-scripting-xss-vulnerability). Until a fix ships, compensating controls include deactivating and removing the CformsII plugin (side effect: any forms built with it stop working and must be migrated to an alternative such as Contact Form 7 or WPForms), placing a Web Application Firewall rule (e.g., Patchstack's vPatch, Wordfence, or Cloudflare managed rules) in front of vulnerable endpoints to filter script-bearing payloads (side effect: possible false positives on legitimate rich-text submissions), and restricting unauthenticated form submissions via reCAPTCHA or IP allow-listing to reduce drive-by injection attempts (side effect: degraded UX for legitimate users).

Share

EUVD-2026-36925 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy