Stored Cross-Site Scripting in WP Easy Contact for WordPress
CVE-2025-8315

6.4MEDIUM

Key Information:

Vendor: WordPress
Status: Simple Contact Form Plugin For WordPress – WP Easy Contact
Vendor: CVE Published:; 5 August 2025

What is CVE-2025-8315?

The WP Easy Contact plugin for WordPress is susceptible to a Stored Cross-Site Scripting vulnerability. This flaw arises from inadequate input validation and output escaping in the 'noaccess_msg' parameter, affecting all versions up to and including 4.0.1. As a result, authenticated attackers with Contributor-level access or higher can exploit this vulnerability to inject malicious scripts. These scripts may execute when users access the compromised pages, potentially leading to various security risks, including data theft and session hijacking.

Affected Version(s)

Simple Contact Form Plugin for WordPress – WP Easy Contact * <= 4.0.1

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.svn.wordpress.org/wp-easy-contact/tags/4....

https://wordpress.org/plugins/wp-easy-contact/#developers

CVSS V3.1

Score:

6.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Aug 5, 2025
Vulnerability Reserved
Jul 29, 2025

Credit

muhammad yudha