PatchSiren cyber security CVE debrief
CVE-2026-8172 Simple Basic Contact Form CVE debrief
The Simple Basic Contact Form WordPress plugin through 20250114 does not escape user-supplied input before reflecting it into the contact form output on validation errors. This leads to a Reflected Cross-Site Scripting vulnerability that unauthenticated attackers can exploit against site visitors via a crafted link or cross-site form submission. The vulnerability has a CVSS score of 7.1 and is classified as HIGH severity. The CVE was published on 2026-06-23T07:16:21.007Z and last modified on 2026-06-23T14:52:58.543Z. The vendor information is currently unknown.
- Vendor
- Simple Basic Contact Form
- Product
- Simple Basic Contact Form WordPress plugin
- CVSS
- HIGH 7.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-23
- Original CVE updated
- 2026-06-23
- Advisory published
- 2026-06-23
- Advisory updated
- 2026-06-23
Who should care
Administrators and users of the Simple Basic Contact Form WordPress plugin should be aware of this vulnerability and take immediate action to protect their sites. Unauthenticated attackers can exploit this vulnerability to inject malicious scripts into the contact form output, potentially leading to security breaches. Site owners and security teams should prioritize patching or mitigating this vulnerability to prevent potential attacks.
Technical summary
The Simple Basic Contact Form WordPress plugin through 20250114 is vulnerable to Reflected Cross-Site Scripting. The plugin does not properly escape user-supplied input, allowing attackers to inject malicious scripts into the contact form output on validation errors. This vulnerability can be exploited via a crafted link or cross-site form submission, and unauthenticated attackers can use it to target site visitors. The CVSS vector for this vulnerability is CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L.
Defensive priority
High priority should be given to patching or mitigating this vulnerability, as it allows unauthenticated attackers to exploit Reflected Cross-Site Scripting against site visitors. Immediate action is necessary to protect sites using the Simple Basic Contact Form WordPress plugin.
Recommended defensive actions
- Apply the latest patch or update for the Simple Basic Contact Form WordPress plugin to a version that addresses this vulnerability.
- Implement input validation and output encoding to prevent user-supplied input from being reflected into the contact form output.
- Use a Web Application Firewall (WAF) to detect and prevent cross-site scripting attacks.
- Monitor site activity and logs for potential exploitation attempts.
- Consider replacing the Simple Basic Contact Form WordPress plugin with a more secure alternative.
Evidence notes
The CVE-2026-8172 record was obtained from the official CVE.org database and the NVD detail page. The vulnerability was reported by [email protected] and has a CVSS score of 7.1. The Simple Basic Contact Form WordPress plugin through 20250114 is affected by this vulnerability.
Official resources
-
CVE-2026-8172 CVE record
CVE.org
-
CVE-2026-8172 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
This article is AI-assisted and based on the supplied source corpus.