CVE-2026-48871

Vulnerability

A Cross-Site Scripting (XSS) vulnerability exists in the MW WP Form plugin for WordPress, affecting versions <= 5.1.3 [1]. The flaw allows unauthenticated attackers to inject malicious scripts via form fields or other input vectors, likely due to insufficient sanitization or escaping of user-supplied data before rendering [1]. No special configuration or privileges are required for the attacker, as the vulnerability is triggered when a privileged user (e.g., an admin) interacts with crafted content, such as clicking a malicious link or submitting a specially prepared form [1].

Exploitation

An unauthenticated attacker can craft a URL or form submission containing malicious JavaScript payloads [1]. Exploitation requires a privileged user to perform an action, such as clicking the attacker-supplied link or viewing the injected content [1]. The attacker does not need any authentication or prior access to the site. The attack vector is network-based and does not require man-in-the-middle positioning [1].

Impact

Successful exploitation allows the attacker to inject arbitrary HTML and JavaScript into the victim's browser, leading to consequences such as redirects to malicious sites, display of advertisements, theft of session cookies, or other actions performed in the context of the logged-in user [1]. The confidentiality and integrity of the affected WordPress instance could be compromised, though full system compromise is not directly achieved without additional vulnerabilities [1].

Mitigation

Update the MW WP Form plugin to version 5.1.4 or later, which contains the fix for this vulnerability [1]. For users who cannot update immediately, Patchstack offers a mitigation rule that blocks attacks until the patch is applied [1]. The plugin vendor has released the patched version; no other workarounds are documented in the available references [1].