CVE-2025-6740
BaseFortify
Publication date: 2025-07-04
Last updated on: 2025-07-09
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| ciphercoin | contact_form_7_database_addon | to 1.3.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability in the Contact Form 7 Database Addon plugin for WordPress (up to version 1.3.1) is a Stored Cross-Site Scripting (XSS) issue via the 'tmpD' parameter. Due to insufficient input sanitization and output escaping, unauthenticated attackers can inject arbitrary web scripts into pages. These scripts execute whenever a user accesses the injected page, potentially compromising user security.
How can this vulnerability impact me? :
This vulnerability can allow attackers to execute malicious scripts in the context of users visiting affected pages. This can lead to theft of user credentials, session hijacking, defacement, or distribution of malware. Since the attack is unauthenticated and stored, it can affect any user who views the injected content, increasing the risk of widespread impact.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if the Contact Form 7 Database Addon plugin version installed is 1.3.1 or earlier, as these versions are vulnerable. You can verify the plugin version via WordPress admin dashboard or by inspecting the plugin files. Additionally, you can search for suspicious stored scripts in the database table `{prefix}db7_forms` where form submissions are stored, especially looking for injected scripts in the 'form_value' serialized data. There are no specific commands provided in the resources, but you can use SQL queries to inspect the database, for example: `SELECT form_id, form_value FROM wp_db7_forms WHERE form_value LIKE '%<script>%' OR form_value LIKE '%javascript:%';` to detect possible stored XSS payloads. Also, checking the plugin version via command line can be done by: `wp plugin get contact-form-cfdb7 --field=version` if WP-CLI is installed. [3]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to update the Contact Form 7 Database Addon plugin to version 1.3.2 or later, where the vulnerability has been fixed by properly sanitizing user input using the `sanitize_text_field()` function. If updating immediately is not possible, restrict access to the plugin's data and admin pages, and monitor for suspicious activity. Additionally, consider applying input sanitization or output escaping manually if you have custom code interacting with the plugin data. Regularly back up your database and files before applying updates. [1]