Formychat
Monthly
Stored cross-site scripting in the WPPOOL FormyChat (social-contact-form) WordPress plugin, versions up to and including 2.15.3, lets remote attackers inject persistent JavaScript that executes in the browser of anyone who later views the affected page. Reported by Patchstack (CVSS 7.1), the scope-changing flaw can be abused to hijack sessions, deface content, or pivot toward WordPress administrator accounts. There is no public exploit identified at time of analysis and the CVE is not listed in CISA KEV.
Stored cross-site scripting in the WPPOOL FormyChat (social-contact-form) WordPress plugin, versions up to and including 2.15.3, lets remote attackers inject persistent JavaScript that executes in the browser of anyone who later views the affected page. Reported by Patchstack (CVSS 7.1), the scope-changing flaw can be abused to hijack sessions, deface content, or pivot toward WordPress administrator accounts. There is no public exploit identified at time of analysis and the CVE is not listed in CISA KEV.