CVE-2025-39521: 
WordPress vulnerability analysis and mitigation

The Contact Form vCard Generator WordPress plugin contains a Reflected Cross-Site Scripting (XSS) vulnerability, identified as CVE-2025-39521. The vulnerability was discovered by researcher Nguyen Xuan Chien and publicly disclosed on April 17, 2025. This security issue affects all versions of the Contact Form vCard Generator plugin up to and including version 2.4, with no known fix currently available (Patchstack, WPScan).

The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation) and has received a CVSS v3.1 base score of 7.1 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L. The issue stems from insufficient input sanitization and output escaping in the plugin's code (NVD, Patchstack).

This vulnerability allows unauthenticated attackers to inject arbitrary web scripts into pages that will execute when users interact with maliciously crafted content, such as clicking on a specially crafted link. The CVSS scoring indicates potential impacts on confidentiality, integrity, and availability, all rated as Low (WPScan, Patchstack).

While no official fix is currently available, Patchstack has issued a virtual patch to mitigate this issue by blocking potential attacks. Website administrators are advised to implement strict access controls and consider using the Patchstack security solution for protection until an official patch becomes available (Patchstack).