CVE-2026-1045
Stored XSS in Viet Contact WordPress Plugin Admin Settings
Publication date: 2026-01-20
Last updated on: 2026-01-20
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| unknown_vendor | viet_contact | to 1.3.2 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability in the Viet Contact WordPress plugin is a Stored Cross-Site Scripting (XSS) issue affecting versions up to 1.3.2. It occurs because the plugin does not properly sanitize or escape input in the admin settings, allowing authenticated users with administrator-level permissions to inject malicious scripts. These scripts are then stored and executed whenever a user accesses the affected page. This vulnerability specifically impacts multi-site installations or sites where the unfiltered_html capability is disabled. [2, 3]
How can this vulnerability impact me? :
This vulnerability can allow an attacker with administrator privileges to inject malicious JavaScript code into the website. When other users visit the infected pages, the malicious scripts execute in their browsers, potentially leading to session hijacking, defacement, unauthorized actions, or theft of sensitive information. Since the vulnerability requires admin-level access, it can be exploited by insiders or attackers who have compromised an admin account. It affects multi-site WordPress installations or those with unfiltered_html disabled, increasing the risk of widespread impact across multiple sites. [2, 3]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves stored Cross-Site Scripting (XSS) via admin settings in the Viet Contact WordPress plugin. Detection involves checking for injected scripts in the admin settings or pages where the contact widget is rendered. Since the vulnerability requires administrator-level access and affects multi-site installations or those with unfiltered_html disabled, you can detect it by reviewing the admin settings for suspicious script tags or unusual content in the Viet Contact plugin options. Additionally, inspecting pages that include the contact widget for unexpected JavaScript execution can help. Specific commands are not provided in the resources, but you can use WordPress database queries to check the options table for script injections, for example: `SELECT * FROM wp_options WHERE option_name LIKE '%vietcontact%' AND option_value LIKE '%<script>%'`. Also, using browser developer tools to inspect the rendered contact widget for injected scripts can assist detection. [2, 3]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include: 1) Updating the Viet Contact plugin to a version later than 1.3.2 if available, as versions up to and including 1.3.2 are vulnerable. 2) Restricting administrator-level access to trusted users only, since exploitation requires admin permissions. 3) Enabling unfiltered_html if possible, or reviewing and sanitizing all admin input fields related to the Viet Contact plugin to remove any injected scripts. 4) Temporarily disabling the Viet Contact plugin on multi-site installations until a patch or update is applied. 5) Monitoring and cleaning any injected scripts found in the plugin settings or rendered pages. Since the vulnerability arises from insufficient input sanitization and output escaping, applying manual sanitization or using security plugins that filter XSS can help mitigate risk.