CVE-2026-0753
📋 TL;DR
This vulnerability allows unauthenticated attackers to execute arbitrary JavaScript in victims' browsers via the 'sscf_name' parameter in the Super Simple Contact Form WordPress plugin. Attackers can steal session cookies, redirect users, or perform actions on their behalf. All WordPress sites using this plugin up to version 1.6.2 are affected.
💻 Affected Systems
- Super Simple Contact Form WordPress Plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers steal administrator session cookies, gain full control of the WordPress site, install backdoors, deface the site, or steal sensitive user data.
Likely Case
Attackers steal user session cookies, redirect visitors to malicious sites, or perform limited actions within the victim's browser context.
If Mitigated
With proper web application firewalls and security headers, the attack is blocked or limited to non-sensitive actions.
🎯 Exploit Status
Exploitation requires tricking users into clicking malicious links. No authentication required.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.6.3 or later
Vendor Advisory: https://wordpress.org/plugins/super-simple-contact-form/
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Go to Plugins → Installed Plugins. 3. Find 'Super Simple Contact Form'. 4. Click 'Update Now' if update available. 5. If no update, deactivate and delete plugin, then install fresh version from WordPress repository.
🔧 Temporary Workarounds
Web Application Firewall Rule
allBlock or sanitize requests containing malicious scripts in the sscf_name parameter
WAF-specific configuration required
Content Security Policy Header
allImplement CSP headers to restrict script execution sources
Header set Content-Security-Policy "default-src 'self'; script-src 'self'"
Add to .htaccess or web server config
🧯 If You Can't Patch
- Disable or remove the Super Simple Contact Form plugin immediately
- Implement strict Content Security Policy headers to mitigate script execution
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Installed Plugins for Super Simple Contact Form version 1.6.2 or earlierCheck Version:
wp plugin list --name=super-simple-contact-form --field=version (if WP-CLI installed)Verify Fix Applied:
Verify plugin version is 1.6.3 or later in WordPress admin panel📡 Detection & Monitoring
Log Indicators:
- Unusual GET/POST requests with sscf_name parameter containing script tags or JavaScript
- Multiple failed XSS attempts in web server logs
Network Indicators:
- HTTP requests with sscf_name parameter containing encoded script payloads
- Referrer headers pointing to suspicious domains
SIEM Query:
source="web_server_logs" AND (sscf_name CONTAINS "<script" OR sscf_name CONTAINS "javascript:")🔗 References
- https://downloads.wordpress.org/plugin/super-simple-contact-form.1.6.2.zip
- https://plugins.trac.wordpress.org/browser/super-simple-contact-form/tags/1.6.2/super-simple-contact-form.php#L152
- https://plugins.trac.wordpress.org/browser/super-simple-contact-form/trunk/super-simple-contact-form.php#L152
- https://wordpress.org/plugins/super-simple-contact-form/
- https://www.wordfence.com/threat-intel/vulnerabilities/id/e10c0d8d-718d-45dd-9ac3-a2673a6a16af?source=cve
