CVE-2026-0753 is a reflected Cross-Site Scripting (XSS) vulnerability identified in the Super Simple Contact Form plugin for WordPress, developed by bitacre. This vulnerability affects all versions up to and including 1.6.2. The root cause is insufficient sanitization and escaping of user-supplied input in the 'sscf_name' parameter during web page generation. When an attacker crafts a malicious URL containing a script payload in this parameter and convinces a user to click it, the injected script executes within the context of the victim's browser session. This can lead to theft of sensitive information such as cookies, session tokens, or other data accessible to the browser, as well as potential manipulation of the displayed content or redirection to malicious sites. The vulnerability requires no authentication and no user interaction beyond clicking a link, making it relatively easy to exploit. The CVSS v3.1 base score is 7.2, reflecting high severity due to network attack vector, low attack complexity, no privileges required, no user interaction beyond clicking, and a scope change with partial impact on confidentiality and integrity but no impact on availability. Although no known exploits are currently in the wild, the widespread deployment of WordPress and the plugin increases the likelihood of exploitation attempts. The vulnerability is categorized under CWE-79, which covers improper neutralization of input during web page generation leading to XSS. No official patches or updates are linked yet, so mitigation relies on applying best practices or plugin updates once available.

The primary impact of CVE-2026-0753 is on the confidentiality and integrity of data processed or displayed by affected WordPress sites using the Super Simple Contact Form plugin. Successful exploitation allows attackers to execute arbitrary JavaScript in the context of the victim's browser, potentially stealing session cookies, credentials, or other sensitive information. This can lead to account compromise, unauthorized actions on behalf of users, or further attacks such as phishing or malware distribution. The vulnerability does not affect availability directly but can undermine user trust and site reputation. Organizations relying on this plugin for customer interaction or data collection risk exposure of sensitive user data and potential regulatory compliance issues. The ease of exploitation and lack of authentication requirements increase the threat level, especially for high-traffic websites. Additionally, the scope change in the CVSS vector indicates that the vulnerability can affect resources beyond the immediate plugin context, potentially impacting other parts of the site or user sessions.

1. Immediate mitigation involves disabling or removing the Super Simple Contact Form plugin until a patched version is released. 2. Monitor the plugin vendor's official channels for security updates or patches addressing this vulnerability and apply them promptly. 3. Implement a Web Application Firewall (WAF) with rules to detect and block malicious payloads targeting the 'sscf_name' parameter, focusing on common XSS attack patterns. 4. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts on the website, mitigating the impact of potential XSS attacks. 5. Sanitize and validate all user inputs at the application level, ensuring that any data reflected back to users is properly escaped. 6. Educate users and administrators about the risks of clicking suspicious links and encourage cautious behavior. 7. Conduct regular security assessments and penetration testing focusing on input validation and output encoding to detect similar vulnerabilities. 8. Consider alternative contact form plugins with a strong security track record if immediate patching is not feasible.