CVE-2025-8315
Description
The WP Easy Contact plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘noaccess_msg’ parameter in all versions up to, and including, 4.0.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Stored XSS in WP Easy Contact plugin via 'noaccess_msg' parameter allows authenticated attackers with Contributor-level access to inject arbitrary scripts.
Vulnerability
Overview The WP Easy Contact plugin for WordPress versions up to and including 4.0.1 is vulnerable to Stored Cross-Site Scripting via the 'noaccess_msg' parameter. The plugin fails to sanitize user input and escape output, enabling the storage of malicious scripts.
Exploitation
Details An authenticated attacker with at least Contributor-level access can inject arbitrary web scripts through the 'noaccess_msg' field [1]. These scripts are stored and executed when other users access the affected page [2].
Impact
Successful exploitation allows an attacker to perform actions such as session hijacking, website defacement, or redirecting users to malicious sites. The attack targets users who view the injected page.
Mitigation
Users should update to version 4.0.2 or later, which addresses the vulnerability. No workarounds are available. Affected users are advised to upgrade immediately.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2(expand)+ 1 more
- (no CPE)
- (no CPE)range: <=4.0.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4News mentions
0No linked articles in our index yet.