CVE-2025-26560: 
WordPress vulnerability analysis and mitigation

A Reflected Cross-Site Scripting (XSS) vulnerability has been identified in WP Contact Form III WordPress plugin, tracked as CVE-2025-26560. The vulnerability affects versions up to 1.6.2d and is characterized as an Improper Neutralization of Input During Web Page Generation issue. The vulnerability was disclosed on March 26, 2025 (NVD).

The vulnerability has been assigned a CVSS v3.1 base score of 7.1 (High) with the following vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L. The technical classification falls under CWE-79, which refers to Improper Neutralization of Input During Web Page Generation. This indicates that the vulnerability allows for reflected XSS attacks through improper input validation (NVD).

The vulnerability allows attackers to execute reflected cross-site scripting attacks, potentially leading to the compromise of confidentiality, integrity, and availability of the affected system. The CVSS metrics indicate low impact across confidentiality, integrity, and availability, but the chained nature of the attack (as indicated by the 'S:C' in the CVSS vector) suggests potential for more significant impact (NVD).

Users of WP Contact Form III should upgrade their installations to a version newer than 1.6.2d once available. Until a patch is released, website administrators should consider implementing Web Application Firewall (WAF) rules to filter potentially malicious input and consider temporarily disabling the plugin if possible (NVD).