CVE-2022-1326

CVE-2022-1326: Form - Contact Form <= 1.2.0 - Admin+ Stored Cross-Site Scripting

Vendor Unknown

Product Form – Contact Form

Weakness CWE-79 · XSS

Published June 27, 2022

Last update August 3, 2024

View on NVD All CVEs

CVSS base score

—

What the vulnerability does

01Description

The Form - Contact Form WordPress plugin through 1.2.0 does not sanitize and escape Custom text fields, which could allow high-privileged users such as admin to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed

Key dates

02Disclosure timeline

June 27, 2022 CVE published

August 3, 2024 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2022-1326 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/79.html

Related vulnerabilities

04Related CVE

CVE-2018-0407 CVE-2025-12029 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in GitLab CVE-2023-25840 BUG-000154070 Stored XSS issue in the ArcGIS REST Services directory CVE-2023-41736 WordPress Email posts to subscribers Plugin <= 6.2 is vulnerable to Cross Site Scripting (XSS) CVE-2025-57929 WordPress Double the Donation Plugin <= 2.0.0 - Cross Site Scripting (XSS) Vulnerability