CVE-2026-32460

The vulnerability is a stored cross-site scripting (XSS) issue in the WordPress plugin Ultimate Addons for Contact Form 7, versions up to and including 3.5.36. The root cause is improper neutralization of user-supplied input during web page generation, allowing an attacker to inject arbitrary HTML and JavaScript code into the plugin's output [1].

Exploitation requires an authenticated user with a low-privilege role (e.g., subscriber) to perform an action such as clicking a malicious link or visiting a crafted page. The attacker does not need direct access to the site's admin panel but relies on a privileged user to trigger the payload, making it a cross-site request forgery (CSRF)-like attack vector [1].

If successfully exploited, the injected script executes in the context of the victim's browser, enabling actions such as redirecting visitors to malicious sites, displaying unwanted advertisements, or stealing session cookies. This can lead to further compromise of the WordPress site and its users [1].

The vendor has released version 3.5.37 which resolves the issue. Users are strongly advised to update immediately. Patchstack users can enable auto-updates for vulnerable plugins. No workarounds are provided, and the vulnerability is considered low severity but may be targeted in mass-exploit campaigns [1].