Contact Us Simple Form

4.4 / 10

MEDIUM

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N

Description

The Contact Us Simple Form plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Basic Information

ID CVE-2025-14028

Source Wordfence

Published Jan 7, 2026 at 09:20

Affected Product

Vendor bruterdregz

Product Contact Us Simple Form

Version *

Affected Versions bruterdregz Contact Us Simple Form *

CWE Classification

CWE-79

References

{
    "lastseen": "",
    "description": "The Contact Us Simple Form plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.",
    "published": "2026-01-07T09:20:53.714Z",
    "modified": "2026-01-07T09:20:53.714Z",
    "type": "cve",
    "title": "Contact Us Simple Form <= 1.0 - Authenticated (Administrator+) Stored Cross-Site Scripting via Plugin Settings",
    "source": "Wordfence",
    "references": "https://www.wordfence.com/threat-intel/vulnerabilities/id/2c78ab13-22ed-4f00-b132-c9ff99c51273?source=cve\nhttps://plugins.trac.wordpress.org/browser/contact-us-simple-form/trunk/contact-us-simple-form.php#L223\nhttps://plugins.trac.wordpress.org/browser/contact-us-simple-form/tags/1.0/contact-us-simple-form.php#L223\nhttps://plugins.trac.wordpress.org/browser/contact-us-simple-form/trunk/contact-us-simple-form.php#L239\nhttps://plugins.trac.wordpress.org/browser/contact-us-simple-form/tags/1.0/contact-us-simple-form.php#L239",
    "id": "CVE-2025-14028",
    "bulletinFamily": "",
    "cwe": [
        "CWE-79"
    ],
    "cvelist": null,
    "sourceData": "bruterdregz Contact Us Simple Form *",
    "sourceHref": "",
    "cvss": {
        "score": 4.4,
        "severity": "MEDIUM",
        "vector": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Contact Us Simple Form",
    "version": "*",
    "vendor": "bruterdregz",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Contact Us Simple Form <= 1.0 - Authenticated (Administrator+) Stored Cross-Site Scripting via Plugin Settings_CVE-2025-14028