CVE-2025-6212
BaseFortify
Publication date: 2025-06-26
Last updated on: 2025-07-08
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| themefic | ultimate_addons_for_contact_form_7 | From 3.5.11 (inc) to 3.5.20 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability in the Ultra Addons for Contact Form 7 WordPress plugin (versions 3.5.11 to 3.5.19) is a Stored Cross-Site Scripting (XSS) issue. It occurs because the plugin does not properly sanitize and escape input field names before storing them in the database and later outputting them in the admin interface. Specifically, unfiltered field names are stored alongside sanitized values, and when the admin-side AJAX endpoint returns these raw field names as JSON column headers, the client-side DataTables renderer injects them directly into the DOM without HTML encoding. This allows unauthenticated attackers to inject arbitrary scripts that execute whenever a user accesses the affected admin pages. [1, 2, 4]
How can this vulnerability impact me? :
This vulnerability can allow unauthenticated attackers to execute arbitrary JavaScript in the context of the WordPress admin pages where the plugin's database entries are viewed. This can lead to theft of admin session cookies, unauthorized actions performed on behalf of the admin, defacement of admin pages, or other malicious activities that compromise the security and integrity of the WordPress site. Since the attack vector is stored XSS, the malicious script persists and affects any admin user who views the injected data. [1, 2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves identifying if the affected versions (3.5.11 to 3.5.19) of the Ultra Addons for Contact Form 7 plugin are installed and if unfiltered field names are being stored and returned via the admin AJAX endpoint ajax_get_table_data(). Since the vulnerability involves stored XSS via JSON column headers injected into the DOM, monitoring AJAX requests to the admin endpoint for suspicious or unescaped script content in the column headers can help detect exploitation attempts. There are no explicit commands provided in the resources, but administrators can inspect AJAX responses in browser developer tools or use network monitoring tools to capture requests to ajax_get_table_data() and check for suspicious payloads. Additionally, reviewing the plugin version installed on the WordPress site can be done via WP-CLI with the command: `wp plugin get ultimate-addons-for-contact-form-7 --field=version` to verify if the vulnerable version is in use. [1, 2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include updating the Ultra Addons for Contact Form 7 plugin to version 3.5.20 or later, where sanitization and escaping of form field keys and values have been implemented to prevent stored XSS attacks. If updating is not immediately possible, restrict access to the admin AJAX endpoint ajax_get_table_data() to trusted users only, and monitor for suspicious activity. Applying proper input sanitization and output escaping as shown in the version 3.5.20 patch (using sanitize_key() and esc_html()) is critical. Additionally, ensure that WordPress user permissions and nonce verifications are enforced to prevent unauthorized AJAX requests. [4]