How is CVE-2026-39449 exploited?

Network reachability (required): The attacker must reach the affected WordPress installation over the network; there is no requirement for local or physical access. Authentication (not-required): No account or credentials are needed; the vulnerability is exploitable by any unauthenticated visitor. Victim interaction (required): A victim must take an action such as clicking a crafted link or submitting manipulated form input for the injected script to execute in their browser. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and requires no special environmental conditions, race conditions, or memory-layout knowledge.

What is the impact of CVE-2026-39449?

An attacker can steal the victim's session cookies or authentication tokens, potentially gaining access to the victim's WordPress account. Injected JavaScript can modify the visible content of the page the victim is viewing, enabling phishing or credential-harvesting overlays. Attacker-controlled scripts can make authenticated requests on behalf of the victim, altering persisted settings or data within the WordPress admin panel if the victim holds elevated privileges. The injected script can degrade or disrupt the victim's use of the affected page, causing limited availability impact scoped to that browser session.

Back to search

HIGHCVE-2026-39449Published 2026-06-15Modified 2026-06-15CNA Patchstack

CVE-2026-39449: WordPress Contact Form to Any API plugin <= 3.0.3 - Cross Site Scripting (XSS) vulnerability

Q: What is CVE-2026-39449?

This is a reflected or stored cross-site scripting (XSS) vulnerability in the Contact Form to Any API WordPress plugin by IT Path Solutions, affecting versions 3.0.3 and earlier. The flaw is reachable over the network with no authentication required, but a victim must interact with a crafted link or input for the attack to succeed. Successful exploitation lets an attacker inject and execute arbitrary JavaScript in the victim's browser, enabling session theft, page content manipulation, and limited disruption of the affected service. No fix version has been published yet; HarborGuard tracks the advisory and will make a patched-image rebuild available as soon as upstream ships one.

Q: Is CVE-2026-39449 patched?

Because no fix version has been published, HarborGuard re-checks this advisory on every ingest cycle and will make a patched-image rebuild available the moment upstream publishes a corrected release. In the interim, the finding remains open and continuously re-evaluated against any new advisory updates from Patchstack or the plugin maintainer.

Unauthenticated Cross Site Scripting (XSS) in Contact Form to Any API <= 3.0.3 versions.

CVSS v3.1: 7.1
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

This is a reflected or stored cross-site scripting (XSS) vulnerability in the Contact Form to Any API WordPress plugin by IT Path Solutions, affecting versions 3.0.3 and earlier. The flaw is reachable over the network with no authentication required, but a victim must interact with a crafted link or input for the attack to succeed. Successful exploitation lets an attacker inject and execute arbitrary JavaScript in the victim's browser, enabling session theft, page content manipulation, and limited disruption of the affected service. No fix version has been published yet; HarborGuard tracks the advisory and will make a patched-image rebuild available as soon as upstream ships one.

HarborGuard Coverage

Detection

Detection for CVE-2026-39449 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of ingestion from upstream feeds including Patchstack, including custom-built images that bundle this plugin. Coverage applies to both registry scans and active CI/CD pipeline checks.

Available

Triage

HarborGuard is capable of scoring this CVE at CVSS 7.1 HIGH and weighting it against each customer environment's compliance policy to reflect actual exposure. Triage routing is available to direct the finding to the appropriate team inbox within each customer organization based on configured ownership rules.

Available

Patch

Because no fix version has been published, HarborGuard re-checks this advisory on every ingest cycle and will make a patched-image rebuild available the moment upstream publishes a corrected release. In the interim, the finding remains open and continuously re-evaluated against any new advisory updates from Patchstack or the plugin maintainer.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must reach the affected WordPress installation over the network; there is no requirement for local or physical access.
AuthenticationNot required
No account or credentials are needed; the vulnerability is exploitable by any unauthenticated visitor.
Victim interactionRequired
A victim must take an action such as clicking a crafted link or submitting manipulated form input for the injected script to execute in their browser.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and requires no special environmental conditions, race conditions, or memory-layout knowledge.

Blast Radius

An attacker can steal the victim's session cookies or authentication tokens, potentially gaining access to the victim's WordPress account.
Injected JavaScript can modify the visible content of the page the victim is viewing, enabling phishing or credential-harvesting overlays.
Attacker-controlled scripts can make authenticated requests on behalf of the victim, altering persisted settings or data within the WordPress admin panel if the victim holds elevated privileges.
The injected script can degrade or disrupt the victim's use of the affected page, causing limited availability impact scoped to that browser session.

How HarborGuard Handles This

Available on HarborGuard: detection for this CVE is matched against all customer images in registries and pipelines on every scan cycle, covering both off-the-shelf and custom-built images that include this plugin. Because no upstream fix exists as of the publication date, HarborGuard monitors the Patchstack advisory on each ingest cycle and will trigger a patched-image rebuild automatically the moment a fix version is released. For customers with auto-remediation enabled, that rebuild will be followed by a regression test run and a PR opened against affected workloads. While no patch is available, compensating controls worth evaluating include network-policy isolation to restrict who can submit to the affected contact form endpoint, web application firewall rules targeting reflected XSS payloads in form parameters, and disabling the plugin entirely if its functionality is not actively needed.

See how HarborGuard automates this

Affected packages

IT Path Solutions / Contact Form to Any API
≤ 3.0.3

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

References

patchstack.com

Metrics

Get notified