CVE-2025-8315: 
WordPress vulnerability analysis and mitigation

The WP Easy Contact plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'noaccess_msg' parameter in all versions up to, and including, 4.0.1. This vulnerability was discovered and disclosed on August 4, 2025 (NVD, WordPress Plugin).

The vulnerability exists due to insufficient input sanitization and output escaping of the 'noaccess_msg' parameter in the plugin. This security flaw allows authenticated attackers with Contributor-level access or higher to inject arbitrary web scripts into pages. The vulnerability has been assigned a CVSS v3.1 score of 6.4 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N (NVD).

When successfully exploited, this vulnerability allows attackers to inject malicious scripts that will execute whenever a user accesses an affected page. This can lead to potential theft of sensitive information, session hijacking, or other client-side attacks against site visitors (NVD).

The vulnerability has been patched in version 4.0.2 of the WP Easy Contact plugin. Site administrators are strongly advised to update to this latest version. The update includes fixes for the XSS vulnerability in the noaccess_msg parameter along with other security improvements (WordPress Plugin).