CVE-2021-47926
Stored XSS in Contact Form to Email WordPress Plugin
Publication date: 2026-05-10
Last updated on: 2026-05-10
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| dwbooster | contact_form_to_email | to 1.3.24 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows authenticated attackers to inject malicious scripts that can lead to session hijacking or credential theft. Such unauthorized access and data compromise could potentially impact compliance with standards and regulations like GDPR and HIPAA, which require protection of user data and secure handling of credentials.
However, the provided information does not explicitly discuss the direct impact of this vulnerability on compliance with these regulations.
Can you explain this vulnerability to me?
CVE-2021-47926 is a stored cross-site scripting (XSS) vulnerability in the WordPress plugin "Contact Form to Email" version 1.3.24 and below.
This vulnerability allows authenticated attackers to inject malicious JavaScript code by inserting script tags into the form name field when creating forms.
When other logged-in users access the form management page, the injected script executes, which can lead to session hijacking or credential theft.
How can this vulnerability impact me? :
The vulnerability can impact you by allowing attackers to execute malicious scripts in the context of your logged-in session.
This can lead to session hijacking, where attackers take over your user session, or credential theft, where attackers steal your login information.
Such impacts can compromise the security of your website and user accounts, potentially leading to unauthorized access and data breaches.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking for the presence of malicious script tags in the form name fields within the Contact Form to Email plugin's form management interface. Since the vulnerability involves stored cross-site scripting via form names, inspecting the database or plugin configuration for suspicious JavaScript code in form names is essential.
There are no specific commands provided in the available resources to detect this vulnerability directly on your system or network.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting access to the form management page to trusted authenticated users only, as the vulnerability requires authentication to exploit.
Additionally, updating the Contact Form to Email plugin to a version higher than 1.3.24 (once a patched version is available) is recommended to fix the stored XSS vulnerability.
As a temporary workaround, avoid creating or editing forms with untrusted input in the form name field to prevent injection of malicious scripts.