How is CVE-2026-23970 exploited?

Network reachability (required): The attacker must be able to reach the target WordPress site over the network; the vulnerable plugin endpoint is exposed via standard HTTP/HTTPS. Authentication (not-required): No account or credentials are needed; the vulnerability is exploitable by any unauthenticated party who can send a request to the affected site. Victim interaction (required): A victim must follow a crafted link or visit a manipulated page that triggers the injected script in their browser session. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and requires no special environmental conditions, race conditions, or memory-layout knowledge.

What is the impact of CVE-2026-23970?

Reads the victim's active session cookies, enabling session hijacking and impersonation of that user on the WordPress site. Executes arbitrary JavaScript in the victim's browser context, allowing theft of form inputs, credentials, or other sensitive data entered on the page. Performs unauthorized actions on the WordPress site on behalf of the victim, such as modifying settings or publishing content, up to the victim's privilege level. Manipulates visible page content in the victim's browser, which can be used for phishing or to display misleading information.

Back to search

HIGHCVE-2026-23970Published 2026-06-15Modified 2026-06-15CNA Patchstack

CVE-2026-23970: WordPress Redirection for Contact Form 7 plugin <= 3.2.8 - Cross Site Scripting (XSS) vulnerability

Q: What is CVE-2026-23970?

A reflected or stored Cross-Site Scripting (XSS) vulnerability exists in the Redirection for Contact Form 7 WordPress plugin at version 3.2.8 and earlier, developed by Themeisle. The flaw is reachable over the network without any authentication, but requires a victim to interact with a crafted link or page, as indicated by the CVSS vector (AV:N/PR:N/UI:R). Successful exploitation allows an attacker to inject and execute arbitrary JavaScript in a victim's browser, enabling session hijacking, credential theft, unauthorized actions on behalf of the victim, or defacement of page content. No fix version has been published; HarborGuard tracks this advisory and will make a patched-image rebuild available as soon as an upstream fix is released.

Q: Is CVE-2026-23970 patched?

Because no fix version has been published upstream, HarborGuard re-checks this advisory on every ingest cycle and will make a patched-image rebuild available the moment Themeisle ships a remediated release. In the meantime, customers can use HarborGuard's policy controls to flag or block deployment of images containing the affected plugin version while awaiting an upstream patch.

Unauthenticated Cross Site Scripting (XSS) in Redirection for Contact Form 7 <= 3.2.8 versions.

CVSS v3.1: 7.1
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

A reflected or stored Cross-Site Scripting (XSS) vulnerability exists in the Redirection for Contact Form 7 WordPress plugin at version 3.2.8 and earlier, developed by Themeisle. The flaw is reachable over the network without any authentication, but requires a victim to interact with a crafted link or page, as indicated by the CVSS vector (AV:N/PR:N/UI:R). Successful exploitation allows an attacker to inject and execute arbitrary JavaScript in a victim's browser, enabling session hijacking, credential theft, unauthorized actions on behalf of the victim, or defacement of page content. No fix version has been published; HarborGuard tracks this advisory and will make a patched-image rebuild available as soon as an upstream fix is released.

HarborGuard Coverage

Detection

Detection of CVE-2026-23970 is available across every HarborGuard environment: the CVE is ingested from upstream feeds including Patchstack within minutes of publication and matched against all customer images, including custom-built WordPress images that bundle this plugin. Any image carrying the Redirection for Contact Form 7 plugin at version 3.2.8 or earlier is flagged automatically.

Available

Triage

HarborGuard is capable of scoring this CVE at CVSS 7.1 HIGH and weighting that score against each customer org's configured compliance policy to determine urgency and escalation path. Triage findings are routable to the appropriate team inbox within each customer environment based on image ownership and policy rules.

Available

Patch

Because no fix version has been published upstream, HarborGuard re-checks this advisory on every ingest cycle and will make a patched-image rebuild available the moment Themeisle ships a remediated release. In the meantime, customers can use HarborGuard's policy controls to flag or block deployment of images containing the affected plugin version while awaiting an upstream patch.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must be able to reach the target WordPress site over the network; the vulnerable plugin endpoint is exposed via standard HTTP/HTTPS.
AuthenticationNot required
No account or credentials are needed; the vulnerability is exploitable by any unauthenticated party who can send a request to the affected site.
Victim interactionRequired
A victim must follow a crafted link or visit a manipulated page that triggers the injected script in their browser session.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and requires no special environmental conditions, race conditions, or memory-layout knowledge.

Blast Radius

Reads the victim's active session cookies, enabling session hijacking and impersonation of that user on the WordPress site.
Executes arbitrary JavaScript in the victim's browser context, allowing theft of form inputs, credentials, or other sensitive data entered on the page.
Performs unauthorized actions on the WordPress site on behalf of the victim, such as modifying settings or publishing content, up to the victim's privilege level.
Manipulates visible page content in the victim's browser, which can be used for phishing or to display misleading information.

How HarborGuard Handles This

Available on HarborGuard: because no upstream fix exists for CVE-2026-23970 as of the publication date, HarborGuard monitors the Patchstack advisory and the Themeisle release channel on every ingest cycle. The moment a patched version of Redirection for Contact Form 7 is published, a rebuilt image at that version becomes available for affected environments, and customers with auto-remediation enabled will receive a rebuilt image, a regression-test run, and a pull request opened against affected workloads (median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes for environments with auto-remediation enabled, once an upstream fix exists). While no patch is available, compensating controls include applying network-policy isolation to restrict which users or roles can access WordPress admin surfaces, using a web application firewall rule to block requests containing common XSS payloads targeting this plugin's parameters, and pinning deployment policies to reject images that include the Redirection for Contact Form 7 plugin at version 3.2.8 or below.

See how HarborGuard automates this

Affected packages

Themeisle / Redirection for Contact Form 7
≤ 3.2.8

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

References

patchstack.com

Metrics

Get notified