CVE-2026-39449

Vulnerability

The Contact Form to Any API plugin for WordPress versions up to and including 3.0.3 contains an unauthenticated cross-site scripting (XSS) vulnerability. The flaw exists in the contact form handling, allowing an attacker to inject malicious scripts without authentication. However, successful exploitation requires a privileged user (e.g., an administrator) to perform an action such as clicking a malicious link or visiting a crafted page [1].

Exploitation

An attacker with network access can submit a crafted payload via the contact form, which is stored on the server. The attacker then needs to trick a privileged user (e.g., an admin) into viewing the page where the payload is rendered, for example by sending a link or waiting for the admin to review submissions. When the admin accesses the page, the injected script executes in their browser [1].

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the admin's browser. This can lead to session hijacking, website defacement, redirection to malicious sites, or injection of advertisements and other HTML payloads. The vulnerability is considered moderately dangerous and is expected to be used in mass-exploit campaigns [1].

Mitigation

Immediately update the Contact Form to Any API plugin to a version newer than 3.0.3. If an update is not yet available, apply a mitigation rule from Patchstack (available to subscribers) or contact your hosting provider for assistance. The reference does not specify a fixed version release date, but Patchstack has issued a mitigation rule to block attacks until an official patch is tested and applied [1].