CVE-2026-39435
Description
Unauthenticated XSS in CformsII plugin for WordPress up to version 15.1.3 allows unauthenticated script injection.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Unauthenticated XSS in CformsII plugin for WordPress up to version 15.1.3 allows unauthenticated script injection.
Vulnerability
An unauthenticated Cross Site Scripting (XSS) vulnerability exists in the WordPress plugin CformsII versions 15.1.3 and earlier. The flaw allows injection of arbitrary scripts into web pages without requiring authentication [1].
Exploitation
An attacker can exploit this vulnerability without any prior authentication by crafting a malicious request that injects JavaScript code. Successful exploitation does require user interaction (e.g., a victim clicking a crafted link or visiting a specially prepared page) [1].
Impact
Attackers can inject malicious scripts such as redirects, advertisements, or other HTML payloads. When executed in a visitor's browser, this leads to information disclosure, session hijacking, or other client-side attacks [1].
Mitigation
The vendor has released version 15.1.4 which fixes the vulnerability. Users are advised to update immediately. Patchstack has also issued a mitigation rule to block attacks until the plugin is updated [1].
AI Insight generated on Jun 15, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.
References
1News mentions
1- Wordfence Intelligence Weekly WordPress Vulnerability Report (June 1, 2026 to June 7, 2026)Wordfence Blog · Jun 11, 2026