Contact Form Clean and Simple is vulnerable to Authenticated stored XSS. When a user has admin capabilities, malicious code can be submitted through the plugin’s options. This code will then be executed on every page with the contact form on the front-end.

Proof of concept

By checking the consent checkbox and then adding malicious code to the consent message box, users on the front-end are then subject to this code.

Video PoC:

Plugin details

Plugin name: Contact Form Clean and Simple Plugin
Plugin Author: Meg Nicholas


  • Tuesday, 14th of january 2020: Vulnerability detected by Jeroen Mulder. Plugin’s author notified
  • Tuesday, 21 of january 2020: Plugin author notified again after no response.
  • Wednesday, 22 of january 2020: Vulnerability posted to and this website.

Geschreven door:

Jeroen Mulder

Jeroen kookt, hackt en beklimt bergen.