Skip to main content

Contact Form to Any API EUVDEUVD-2026-36928

| CVE-2026-39449 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-06-15 Patchstack GHSA-xgpc-pf53-8726
7.1
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
vuln.today AI
7.1 HIGH

Unauthenticated reflected/stored XSS reachable over the network with no privileges, requires victim click (UI:R), and script execution in admin origin causes scope change with limited CIA impact.

3.1 AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
4.0 AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

1
Analysis Generated
Jun 15, 2026 - 22:33 vuln.today

DescriptionCVE.org

Unauthenticated Cross Site Scripting (XSS) in Contact Form to Any API <= 3.0.3 versions.

AnalysisAI

Unauthenticated reflected/stored cross-site scripting in the WordPress plugin Contact Form to Any API through version 3.0.3 allows remote attackers to inject arbitrary JavaScript that executes in a victim's browser when they interact with a crafted link or page. The flaw requires user interaction (UI:R) and changes scope (S:C), meaning injected script can affect resources beyond the vulnerable component, typically the WordPress admin session. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Technical ContextAI

Contact Form to Any API is a WordPress plugin by IT Path Solutions (CPE cpe:2.3:a:it_path_solutions:contact_form_to_any_api) that forwards form submissions to arbitrary third-party APIs. The vulnerability is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation), meaning user-controllable input is rendered into HTML output without adequate encoding or sanitization. Because the CVSS vector marks PR:N, the injection sink is reachable by unauthenticated visitors - likely via form-submission or display parameters that the plugin echoes back into a page consumed by a privileged user, producing a scope change (S:C) when the script runs in the admin's browser context.

RemediationAI

Patch status: patch available per vendor advisory - upgrade Contact Form to Any API to the next release above 3.0.3 as published by IT Path Solutions on the WordPress.org plugin repository; the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/contact-form-to-any-api/vulnerability/wordpress-contact-form-to-any-api-plugin-3-0-3-cross-site-scripting-xss-vulnerability should be consulted for the exact fixed version once published. If immediate upgrade is not possible, deactivate and remove the plugin (trade-off: any contact-form-to-API integrations break) or place the site behind a WAF such as Patchstack, Wordfence, or Cloudflare with rules that strip <script> tags and event-handler attributes from request parameters bound to the plugin's endpoints (trade-off: may break legitimate rich-text submissions). Enforce strong Content-Security-Policy headers disallowing inline script as a secondary defense, and require admins to log into WordPress from a separate browser profile to reduce the value of a successful XSS hit against an admin session.

Share

EUVD-2026-36928 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy