CVE-2025-13975
Stored XSS in Contact Form 7 ChatWork Plugin Settings
Publication date: 2025-12-12
Last updated on: 2025-12-12
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wordpress | contact_form_7 | 1.1.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if the WordPress installation uses the Contact Form 7 with ChatWork plugin version 1.1.0 or earlier, especially in multi-site setups or where unfiltered_html is disabled. To detect exploitation attempts or presence of malicious scripts, you can inspect the WordPress options for the 'impath_cw_api_token' and 'impath_cw_roomid' settings for suspicious or unexpected script content. Additionally, monitoring HTTP POST requests to the ChatWork API endpoint 'https://api.chatwork.com/v2/rooms/{roomid}/messages' from your server could indicate exploitation attempts. Example commands include: 1. To check plugin version via WP-CLI: `wp plugin get contact-form-7-with-chatwork --field=version` 2. To search for suspicious scripts in options table: `wp db query "SELECT option_name, option_value FROM wp_options WHERE option_name IN ('impath_cw_api_token', 'impath_cw_roomid') AND option_value LIKE '%<script>%'"` 3. To monitor outgoing POST requests to ChatWork API (Linux): `sudo tcpdump -A -s 0 'tcp dst port 443 and dst host api.chatwork.com'` These steps help identify if the vulnerable plugin is present and if suspicious activity related to the vulnerability is occurring. [1, 2]
Can you explain this vulnerability to me?
This vulnerability is a Stored Cross-Site Scripting (XSS) issue in the Contact Form 7 with ChatWork plugin for WordPress. It occurs via the 'api_token' and 'roomid' settings due to insufficient input sanitization and output escaping. Authenticated attackers with administrator-level access can inject arbitrary web scripts into pages, which execute whenever a user accesses the settings page. It affects multi-site installations and installations where unfiltered_html is disabled.
How can this vulnerability impact me? :
The vulnerability allows an attacker with administrator-level access to inject malicious scripts that execute when users visit the settings page. This can lead to unauthorized actions, data theft, or session hijacking within the affected WordPress multi-site environment.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include: 1. Upgrade the Contact Form 7 with ChatWork plugin to a version later than 1.1.0 where the vulnerability is fixed. 2. If an upgrade is not immediately possible, restrict administrator-level access to the WordPress multisite installation to trusted users only, as exploitation requires admin privileges. 3. Ensure that the 'unfiltered_html' capability is not disabled for administrators to reduce risk. 4. Review and sanitize the 'api_token' and 'roomid' settings in the plugin's admin interface to remove any injected scripts. 5. Monitor logs for suspicious activity related to the plugin's API requests. 6. Consider temporarily disabling the plugin if the risk is high and no patch is available. These steps reduce the risk of stored cross-site scripting exploitation via the vulnerable plugin. [1, 2]