The digitaldonkey Multilang Contact Form plugin (version ≤ 1.5) suffers from a reflected cross-site scripting vulnerability due to improper input neutralization during web page generation. This allows attackers to inject malicious scripts that execute when a victim interacts with crafted input, potentially leading to partial compromise of confidentiality, integrity, and availability. The CVSS v3.1 base score is 7.1, reflecting network attack vector, low attack complexity, no privileges required, user interaction required, scope change, and partial impacts on confidentiality, integrity, and availability. No patch or official remediation guidance is currently available.

Successful exploitation can result in execution of arbitrary scripts in the context of the victim's browser, potentially leading to theft of sensitive information, session hijacking, or other malicious actions affecting confidentiality, integrity, and availability to a limited extent. The reflected nature of the XSS requires user interaction.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fix is available, users should consider disabling or restricting use of the affected plugin and apply web application firewall (WAF) rules to detect and block reflected XSS attempts targeting the Multilang Contact Form. Monitor official digitaldonkey channels for updates.