WordPress Contact Form Plugin Reflected XSS via Unescaped Input

The Simple Basic Contact Form WordPress plugin through version 20250114 contains a Reflected Cross-Site Scripting (XSS) vulnerability that fails to properly escape user-supplied input before displaying it in error messages. When validation errors occur, the plugin reflects unsanitized data directly into the HTML response, allowing attackers to inject malicious JavaScript code. With a CVSS score of 7.1 (High), this vulnerability affects any WordPress site running the vulnerable plugin version. Unauthenticated attackers can exploit this by crafting malicious links or cross-site form submissions that trick site visitors into executing arbitrary scripts in their browsers, potentially leading to session hijacking, credential theft, or malware distribution without requiring any authentication.

While this vulnerability does not currently map to MITRE ATT&CK techniques in the standard framework, Casky's Claude AI-powered analysis would identify this attack pattern within the broader context of web application exploitation and client-side attack vectors. A practitioner using Casky would observe detection signals aligned with input validation failures and output encoding weaknesses—foundational attack prerequisites that precede techniques like T1566 (Phishing) or T1204 (User Execution). The platform's 754 mapped security skills enable practitioners to correlate this reflected XSS pattern with vulnerability scanning results, identify similar input-handling weaknesses across their WordPress ecosystem, and trace how malicious payloads propagate through form submissions. Extended reasoning capabilities would help teams understand the attack chain: an attacker crafts a malicious URL, distributes it via email or social engineering, and executes code in victims' browsers without plugin authentication barriers.