CVE-2021-47926

MEDIUM

WordPress Contact Form to Email 1.3.24 Stored XSS

Title source: cna

Exploitation Summary

EIP tracks 1 public exploit for CVE-2021-47926. PoCs published by Mohammed Aadhil Ashfaq.

AI-analyzed exploit summary This exploit demonstrates a stored XSS vulnerability in the WordPress plugin Contact Form to Email version 1.3.24. The attacker can inject malicious JavaScript into the form name, which executes when accessed by an authenticated user.

Description

Contact Form to Email 1.3.24 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by creating forms with script tags in the form name field. Attackers can craft form names containing JavaScript code that executes when other logged-in users access the form management page, enabling session hijacking or credential theft.

Exploits (1)

exploitdb WORKING POC

by Mohammed Aadhil Ashfaq · textwebappsphp

https://www.exploit-db.com/exploits/50524

View Code ZIP pw:eip

This exploit demonstrates a stored XSS vulnerability in the WordPress plugin Contact Form to Email version 1.3.24. The attacker can inject malicious JavaScript into the form name, which executes when accessed by an authenticated user.

Classification

Working Poc 90%

Attack Type

Xss

Complexity

Trivial

Reliability

Reliable

Target: WordPress Plugin Contact Form to Email 1.3.24

Auth required

Prerequisites: Authenticated access to WordPress admin panel

MITRE ATT&CK

T1059.007 - JavaScript T1189 - Drive-by Compromise

devstral-2 · analyzed May 10, 2026 Full analysis →

References (3)

Core 3

Core References

Exploit exploit

ExploitDB-50524

https://www.exploit-db.com/exploits/50524

Product product

Official Product Homepage

https://form2email.dwbooster.com/

Third Party Advisory third-party-advisory

VulnCheck Advisory: WordPress Contact Form to Email 1.3.24 Stored XSS

https://www.vulncheck.com/advisories/wordpress-contact-form-to-email-stored-xss

Scores

CVSS v3 6.4

EPSS 0.0019

EPSS Percentile 8.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-79

Status published

Products (1)

Form2Email/Contact Form to Email 1.3.24

Published May 10, 2026

Tracked Since May 10, 2026