How is CVE-2026-39435 exploited?

Network reachability (required): The vulnerable plugin endpoint is exposed over the network, so an attacker must be able to reach the WordPress installation via standard HTTP or HTTPS traffic. Authentication (not-required): No account or credential is needed; the attacker can trigger the vulnerable code path as an anonymous user. Victim interaction (required): A victim must follow a crafted link or visit an attacker-controlled page that triggers the malicious script, making this a social-engineering vector. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and requires no special race conditions, memory layout knowledge, or environmental preconditions.

What is the impact of CVE-2026-39435?

Reads session cookies or authentication tokens from the victim's browser session, enabling account takeover. Injects arbitrary content into the page the victim is viewing, allowing defacement or phishing within the trusted WordPress origin. Performs actions inside the WordPress application on behalf of the victim, including modifying settings or submitting forms. Causes minor disruption to the victim's browser session by redirecting or breaking page functionality.

Back to search

HIGHCVE-2026-39435Published 2026-06-15Modified 2026-06-15CNA Patchstack

CVE-2026-39435: WordPress CformsII plugin <= 15.1.3 - Cross Site Scripting (XSS) vulnerability

Q: What is CVE-2026-39435?

A reflected or stored cross-site scripting (XSS) vulnerability exists in the WordPress CformsII plugin at version 15.1.3 and earlier. The flaw is reachable over the network without any authentication, but requires a victim to interact with a crafted link or page. Successful exploitation lets an attacker inject and execute arbitrary JavaScript in a victim's browser, enabling session hijacking, content manipulation, and minor service disruption. No upstream fix has been published yet; HarborGuard tracks the advisory and will make a patched-image rebuild available as soon as a fix version is released.

Q: Is CVE-2026-39435 patched?

Because no fix version has been published upstream, HarborGuard re-checks the Patchstack advisory and authoritative feeds on every ingest cycle. The moment a patched release of CformsII is published, a rebuilt image at that version becomes available, and customers with auto-remediation enabled receive an automated rebuild, regression-test run, and a PR opened against affected workloads.

Unauthenticated Cross Site Scripting (XSS) in CformsII <= 15.1.3 versions.

CVSS v3.1: 7.1
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

A reflected or stored cross-site scripting (XSS) vulnerability exists in the WordPress CformsII plugin at version 15.1.3 and earlier. The flaw is reachable over the network without any authentication, but requires a victim to interact with a crafted link or page. Successful exploitation lets an attacker inject and execute arbitrary JavaScript in a victim's browser, enabling session hijacking, content manipulation, and minor service disruption. No upstream fix has been published yet; HarborGuard tracks the advisory and will make a patched-image rebuild available as soon as a fix version is released.

HarborGuard Coverage

Detection

Detection for CVE-2026-39435 is available across every HarborGuard environment; the CVE is ingested from upstream feeds including Patchstack within minutes of publication and matched against all customer images, including custom-built WordPress images carrying the CformsII plugin. Any image layer containing CformsII at or below version 15.1.3 is flagged automatically.

Available

Triage

HarborGuard surfaces this CVE with its CVSS v3.1 score of 7.1 (HIGH) and applies per-environment compliance policy weighting to prioritize it appropriately within each customer org. Triage routing delivers the finding to the team or inbox configured for high-severity web-application vulnerabilities in each environment.

Available

Patch

Because no fix version has been published upstream, HarborGuard re-checks the Patchstack advisory and authoritative feeds on every ingest cycle. The moment a patched release of CformsII is published, a rebuilt image at that version becomes available, and customers with auto-remediation enabled receive an automated rebuild, regression-test run, and a PR opened against affected workloads.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerable plugin endpoint is exposed over the network, so an attacker must be able to reach the WordPress installation via standard HTTP or HTTPS traffic.
AuthenticationNot required
No account or credential is needed; the attacker can trigger the vulnerable code path as an anonymous user.
Victim interactionRequired
A victim must follow a crafted link or visit an attacker-controlled page that triggers the malicious script, making this a social-engineering vector.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and requires no special race conditions, memory layout knowledge, or environmental preconditions.

Blast Radius

Reads session cookies or authentication tokens from the victim's browser session, enabling account takeover.
Injects arbitrary content into the page the victim is viewing, allowing defacement or phishing within the trusted WordPress origin.
Performs actions inside the WordPress application on behalf of the victim, including modifying settings or submitting forms.
Causes minor disruption to the victim's browser session by redirecting or breaking page functionality.

How HarborGuard Handles This

Available on HarborGuard: continuous monitoring of the Patchstack advisory and all authoritative vulnerability feeds for CVE-2026-39435. Because no upstream fix exists today, HarborGuard re-evaluates the advisory on every ingest cycle so that detection remains current. In the meantime, customers can apply compensating controls through HarborGuard network policies, such as isolating WordPress containers behind an ingress that restricts untrusted input paths, adding egress filtering to limit JavaScript exfiltration vectors, or using feature-flag gating to disable CformsII form endpoints until a patch is available. The moment bgermann ships a patched release of CformsII, a rebuilt image at that version becomes available on HarborGuard; for customers with auto-remediation enabled, that triggers an automated rebuild, regression-test run, and a PR opened against every affected workload, with median time from CVE fix publication to merged patch PR for high-severity issues around 90 minutes.

See how HarborGuard automates this

Affected packages

bgermann / CformsII
≤ 15.1.3

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

References

patchstack.com

Metrics

Get notified