PatchSiren cyber security CVE debrief
CVE-2026-39449 IT Path Solutions CVE debrief
CVE-2026-39449 is a high severity Unauthenticated Cross Site Scripting (XSS) vulnerability in Contact Form to Any API plugin versions up to 3.0.3. The vulnerability has a CVSS score of 7.1 and was published on [cvePublishedAt](https://www.cve.org/CVERecord?id=CVE-2026-39449).
- Vendor
- IT Path Solutions
- Product
- Contact Form to Any API
- CVSS
- HIGH 7.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-15
- Original CVE updated
- 2026-06-15
- Advisory published
- 2026-06-15
- Advisory updated
- 2026-06-15
Who should care
Administrators and users of Contact Form to Any API plugin versions up to 3.0.3 should be aware of this vulnerability and take necessary actions to mitigate it.
Technical summary
The vulnerability is caused by a lack of proper input validation and sanitization in the Contact Form to Any API plugin, allowing an unauthenticated attacker to inject malicious JavaScript code.
Defensive priority
High
Recommended defensive actions
- Update to a patched version of the plugin if available.
- Implement additional security measures such as input validation and sanitization.
- Monitor for suspicious activity on the affected system.
Evidence notes
The vulnerability was reported by Patchstack and is tracked under [ref-4](https://patchstack.com/database/wordpress/plugin/contact-form-to-any-api/vulnerability/wordpress-contact-form-to-any-api-plugin-3-0-3-cross-site-scripting-xss-vulnerability?_s_id=cve).
Official resources
-
CVE-2026-39449 CVE record
CVE.org
-
CVE-2026-39449 NVD detail
NVD
-
Source item URL
nvd_modified
- Mitigation or vendor reference
CVE-2026-39449 was published on 2026-06-15T21:16:43.000Z and modified on 2026-06-15T21:24:32.790Z.