CVE-2026-23970

Vulnerability

The Redirection for Contact Form 7 plugin for WordPress, versions 3.2.8 and earlier, contains an unauthenticated Cross-Site Scripting (XSS) vulnerability. The flaw allows an attacker to inject arbitrary HTML and JavaScript into the application, which is then executed in the context of a victim's browser. The vulnerability is present in the plugin's handling of redirect parameters or settings, and no authentication is required to trigger the injection [1].

Exploitation

An unauthenticated attacker can craft a malicious request containing a payload. However, successful exploitation requires user interaction: a privileged user (such as an administrator) must click a malicious link, visit a crafted page, or submit a form that triggers the vulnerable functionality. The attacker does not need any prior access or credentials to initiate the attack [1].

Impact

If exploited, the attacker can execute arbitrary JavaScript in the victim's browser. This can lead to session hijacking, website defacement, redirection to malicious sites, injection of advertisements, or theft of sensitive information such as cookies or login credentials. The impact is limited to the browser session of the interacting user, but could be used to escalate privileges if the victim is an administrator [1].

Mitigation

The vulnerability is fixed in version 3.2.9 of the plugin. Users are strongly advised to update to this version or later immediately. No workarounds are provided. Patchstack users can enable auto-updates for vulnerable plugins. There is no indication that this CVE is listed in the Known Exploited Vulnerabilities (KEV) catalog [1].