CVE-2021-47926
Received Received - Intake
Stored XSS in Contact Form to Email WordPress Plugin

Publication date: 2026-05-10

Last updated on: 2026-05-10

Assigner: VulnCheck

Description
Contact Form to Email 1.3.24 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by creating forms with script tags in the form name field. Attackers can craft form names containing JavaScript code that executes when other logged-in users access the form management page, enabling session hijacking or credential theft.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-10
Last Modified
2026-05-10
Generated
2026-06-19
AI Q&A
2026-05-10
EPSS Evaluated
2026-06-18
NVD
CVE-2021-47926
EUVD
EUVD-2021-34788
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
dwbooster contact_form_to_email to 1.3.24 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2021-47926 is a stored cross-site scripting (XSS) vulnerability in the WordPress plugin "Contact Form to Email" version 1.3.24 and below.

This vulnerability allows authenticated attackers to inject malicious JavaScript code by inserting script tags into the form name field when creating forms.

When other logged-in users access the form management page, the injected script executes, which can lead to session hijacking or credential theft.

Impact Analysis

The vulnerability can impact you by allowing attackers to execute malicious scripts in the context of your logged-in session.

This can lead to session hijacking, where attackers take over your user session, or credential theft, where attackers steal your login information.

Such impacts can compromise the security of your website and user accounts, potentially leading to unauthorized access and data breaches.

Detection Guidance

This vulnerability can be detected by checking for the presence of malicious script tags in the form name fields within the Contact Form to Email plugin's form management interface. Since the vulnerability involves stored cross-site scripting via form names, inspecting the database or plugin configuration for suspicious JavaScript code in form names is essential.

There are no specific commands provided in the available resources to detect this vulnerability directly on your system or network.

Mitigation Strategies

Immediate mitigation steps include restricting access to the form management page to trusted authenticated users only, as the vulnerability requires authentication to exploit.

Additionally, updating the Contact Form to Email plugin to a version higher than 1.3.24 (once a patched version is available) is recommended to fix the stored XSS vulnerability.

As a temporary workaround, avoid creating or editing forms with untrusted input in the form name field to prevent injection of malicious scripts.

Compliance Impact

The vulnerability allows authenticated attackers to inject malicious scripts that can lead to session hijacking or credential theft. Such unauthorized access and data compromise could potentially impact compliance with standards and regulations like GDPR and HIPAA, which require protection of user data and secure handling of credentials.

However, the provided information does not explicitly discuss the direct impact of this vulnerability on compliance with these regulations.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2021-47926. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart