WordPress Plugin Vulnerabilities

Multilang Contact Form <= 1.5 - Reflected Cross-Site Scripting

Description

The Multilang Contact Form plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in versions up to, and including, 1.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

Affects Plugins

Plugin icon
multilang-contact-form
No known fix

References

CVE
CVE-2025-22795
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/f821bc5d-4590-4dfb-b709-73476a7eeac2

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
6.1 (medium)

Miscellaneous

Original Researcher
LVT-tholv2k
Verified
No
WPVDB ID
39234451-73f0-4248-a2b1-218efe3f95f7

Timeline

Publicly Published
2025-01-13 (about 1 year ago)
Added
2025-01-22 (about 1 year ago)
Last Updated
2025-01-22 (about 1 year ago)

Other

Published
Title
Published
2024-08-08
Title
Element Pack Elementor Addons < 5.7.7 - Contributor+ Stored XSS via title_tag
Published
2026-02-13
Title
QuestionPro Surveys <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes
Published
2025-07-23
Title
Mine CloudVod < 2.2.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via audio Parameter
Published
2017-04-24
Title
Answer My Question 1.3 - Cross-Site Scripting (XSS)
Published
2026-02-17
Title
Rent Fetch < 0.32.7 - Unauthenticated Stored Cross-Site Scripting via 'keyword' Parameter