Ultra Addons for Contact Form 7 3.5.11 – 3.5.19 – Unauthenticated Stored Cross-Site Scripting via Database module | CVE 2025-6212 | Plugin Vulnerabilities

Description

The Ultra Addons for Contact Form 7 plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Database module in versions 3.5.11 to 3.5.19 due to insufficient input sanitization and output escaping. The unfiltered field names are stored alongside the sanitized values. Later, the admin-side AJAX endpoint ajax_get_table_data() returns those raw names as JSON column headers, and the client-side DataTables renderer injects them directly into the DOM without any HTML encoding. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Affects Plugins

ultimate-addons-for-contact-form-7

Fixed in 3.5.20

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/f49e48cb-7d0b-4bcf-9090-869472b8442a

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Sy5temFr4cture

Verified

No

WPVDB ID

e529871d-a7e6-40c1-9dce-b83079ac8205

Timeline

Publicly Published

2025-06-25 (about 10 months ago)

Added

2025-06-25 (about 10 months ago)

Last Updated

2025-06-26 (about 10 months ago)

Other

Published

Title

Published

2018-11-07

Title

Better WordPress reCAPTCHA <= 2.0.3 - Unauthenticated Cross-Site Scripting (XSS)

Published

2023-12-22

Title

WP Crowdfunding < 2.1.10 - Admin+ Stored XSS

Published

2024-09-24

Title

CubeWP Forms – All-in-One Form Builder < 1.1.2 - Unauthenticated Stored Cross-Site Scripting

Published

2025-04-07

Title

Widgetize Pages Light <= 3.0 & Widgets as Shortcodes <= 5.9.10 - Reflected Cross-Site Scripting

Published

2025-01-16

Title

WOW Best CSS Compiler <= 2.0.2 - Reflected Cross-Site Scripting