CVE-2025-26560

CVE-2025-26560 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Reflected Cross-site Scripting (XSS) under CWE-79, in the KKWangen WP Contact Form III plugin (wp-contact-form-iii) for WordPress. This issue affects all versions of the plugin from n/a through 1.6.2d inclusive. Published on 2025-03-26, it carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating high severity due to its network accessibility and scope change.

A remote, unauthenticated attacker can exploit this vulnerability by crafting a malicious URL containing an XSS payload and tricking a victim user—such as a site visitor or administrator—into accessing it, for example via phishing or social engineering. User interaction is required, but once triggered, the payload executes in the victim's browser in the context of the vulnerable WordPress site, enabling potential theft of session tokens, cookies, or other sensitive data, as well as actions performed on the victim's behalf, with low impacts to confidentiality, integrity, and availability across the changed scope.

The primary advisory reference is available from Patchstack at https://patchstack.com/database/Wordpress/Plugin/wp-contact-form-iii/vulnerability/wordpress-wp-contact-form-iii-plugin-1-6-2d-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve, which details the vulnerability in the WP Contact Form III plugin up to version 1.6.2d. Security practitioners should review this source for recommended mitigations, such as plugin updates if patches are issued or temporary workarounds like input sanitization.