PatchSiren

Simple Basic Contact Form CVE debriefs

These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.

HIGH Simple Basic Contact Form CVE published 2026-06-23

CVE-2026-8172

The Simple Basic Contact Form WordPress plugin through 20250114 does not escape user-supplied input before reflecting it into the contact form output on validation errors. This leads to a Reflected Cross-Site Scripting vulnerability that unauthenticated attackers can exploit against site visitors via a crafted link or cross-site form submission. The vulnerability has a CVSS score of 7.1 and is classified [truncated]