PatchSiren cyber security CVE debrief
CVE-2021-47926 Form2email CVE debrief
CVE-2021-47926 describes a stored cross-site scripting vulnerability in Contact Form to Email 1.3.24. According to the supplied record, an authenticated attacker can create a form with script content in the form name field, and that payload may execute when other logged-in users open the form management page. The expected impact is unauthorized script execution in an administrative context, which can expose sessions or credentials. The NVD record in the supplied corpus was published and last modified on 2026-05-10.
- Vendor
- Form2email
- Product
- Unknown
- CVSS
- MEDIUM 5.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-10
- Original CVE updated
- 2026-05-10
- Advisory published
- 2026-05-10
- Advisory updated
- 2026-05-10
Who should care
Administrators and operators using Contact Form to Email 1.3.24, especially environments where multiple trusted users can access the form management interface. Security teams should also care if the plugin is installed on a production site with privileged browser sessions.
Technical summary
The vulnerability is a stored XSS (CWE-79) affecting the form name field. The attacker must already be authenticated, and the malicious content is later rendered to other logged-in users on the form management page, so user interaction is required. The supplied NVD metadata also classifies the issue as a web-delivered XSS with low privileges and user interaction in scope.
Defensive priority
Medium. This is not a remote unauthenticated flaw, but stored XSS in an admin-facing workflow can still lead to session theft, account abuse, or follow-on compromise. Prioritize faster if the plugin is installed on internet-facing or multi-admin systems.
Recommended defensive actions
- Inventory systems running Contact Form to Email 1.3.24 and confirm whether the plugin is still active.
- Check the vendor site and trusted advisories for a fixed release or mitigation guidance before continuing use.
- If remediation is not immediately available, restrict access to the form management page to the smallest possible set of trusted accounts.
- Review existing form names and related admin content for unexpected script-like input, and remove suspicious entries.
- Rotate credentials and invalidate active sessions if you suspect the management interface was exposed to malicious stored content.
- Apply standard XSS hardening where possible, including least-privilege admin access and browser-side protections such as a restrictive Content Security Policy.
Evidence notes
The supplied description explicitly identifies a stored XSS in Contact Form to Email 1.3.24 via the form name field and states that execution occurs when other logged-in users view the form management page. The NVD metadata in the corpus marks the weakness as CWE-79 and includes a low-privilege, user-interaction-dependent CVSS 4.0 vector. The corpus does not include an official vendor patch note or confirmed fixed version.
Official resources
The supplied corpus shows the NVD record published and modified on 2026-05-10. The vulnerability is described as a stored XSS affecting the form name field in Contact Form to Email 1.3.24. No official patch notice or fixed version is 포함 in,