Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Unauthenticated network injection with low complexity (PR:N/AC:L), but execution needs a victim to view the stored payload (UI:R) and crosses into the browser context (S:C) with limited C/I/A.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
2DescriptionCVE.org
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPPOOL FormyChat social-contact-form allows Stored XSS.This issue affects FormyChat: from n/a through <= 2.15.3.
AnalysisAI
Stored cross-site scripting in the WPPOOL FormyChat (social-contact-form) WordPress plugin, versions up to and including 2.15.3, lets remote attackers inject persistent JavaScript that executes in the browser of anyone who later views the affected page. Reported by Patchstack (CVSS 7.1), the scope-changing flaw can be abused to hijack sessions, deface content, or pivot toward WordPress administrator accounts. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the FormyChat (social-contact-form) plugin to be installed and active at version 2.15.3 or earlier, and requires an attacker to reach an input that the plugin stores and later renders without neutralization (CWE-79). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L, base 7.1 High) describes a network-reachable, low-complexity, unauthenticated attack that requires victim interaction (a user or admin loading the page holding the stored payload) and yields limited confidentiality, integrity, and availability impact across a changed scope - the classic stored-XSS profile. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker submits a crafted entry (for example through a FormyChat contact/chat field or an input that FormyChat later renders) containing a malicious <script> or event-handler payload, which the plugin stores without proper sanitization. When a site administrator or visitor subsequently opens the page or admin screen that renders that stored value, the JavaScript executes in their browser under the site's origin, enabling session/cookie theft or actions on the victim's behalf. … |
| Remediation | Upgrade FormyChat to a release later than 2.15.3 (i.e. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours, immediately deactivate and remove the WPPOOL FormyChat plugin from all WordPress instances, and deploy an alternative form solution (Gravity Forms, WPForms, or Contact Form 7 with current security updates). …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-43454