CVE-2026-8172
HighCVSS 7.1Exploitation Probability (EPSS)
Low risk6th percentile — higher than 6% of all known CVEs
Summary
The Simple Basic Contact Form WordPress plugin through version 20250114 does not escape user-supplied input before reflecting it into the contact form output on validation errors, leading to a Reflected Cross-Site Scripting vulnerability.
Risk Assessment
Unauthenticated attackers can exploit this vulnerability against site visitors via a crafted link or cross-site form submission.
Recommendation
It is recommended to update the plugin to the latest version that fixes this vulnerability and review the code to ensure proper input data sanitization.
Original NVD description (English source)
The Simple Basic Contact Form WordPress plugin through 20250114 does not escape user-supplied input before reflecting it into the contact form output on validation errors, leading to a Reflected Cross-Site Scripting vulnerability that unauthenticated attackers can exploit against site visitors via a crafted link or cross-site form submission.

