CVE-2026-8172 PUBLISHED

Simple Basic Contact Form <= 20250114 - Reflected XSS

Assigner: WPScan
Reserved: 08.05.2026 Published: 23.06.2026 Updated: 23.06.2026

The Simple Basic Contact Form WordPress plugin through 20250114 does not escape user-supplied input before reflecting it into the contact form output on validation errors, leading to a Reflected Cross-Site Scripting vulnerability that unauthenticated attackers can exploit against site visitors via a crafted link or cross-site form submission.

Product Status

Vendor	Unknown
Product	Simple Basic Contact Form
Versions	Default: unknown affected from 0 to 20250114 (incl.)

Credits

Juthawong Naisanguansee finder
WPScan coordinator

References

https://wpscan.com/vulnerability/535ec1a1-b822-43c9-8264-6442199493d3/

Problem Types

CWE-79 Cross-Site Scripting (XSS) CWE