CVE-2025-24726

The HT Contact Form 7 WordPress plugin (ht-contactform) prior to version 1.2.1 is susceptible to a stored cross-site scripting (XSS) vulnerability due to improper neutralization of user-supplied input during web page generation [1]. This Stored XSS vulnerability arises when the plugin fails to sanitize or escape input data, allowing attackers to inject arbitrary JavaScript or HTML that gets permanently stored on the server and executed whenever other users access the affected page.

Exploitation

Exploitation requires an authenticated user with at least contributor-level privileges, as the vulnerable input fields are only accessible through the WordPress admin interface [1]. Once submitted, the malicious payload is stored and later rendered in the pages viewed by site visitors or administrators. User interaction is not required from the victim after the payload is stored; the script executes automatically when the page loads [1].

Impact

Successful exploitation allows an attacker to inject malicious scripts that can perform actions such as redirecting visitors to attacker-controlled sites, displaying advertisements, or stealing session cookies and other sensitive information [1]. This type of vulnerability is frequently used in mass exploitation campaigns against WordPress installations.

Mitigation

The vulnerability is patched in version 1.2.2 of the HT Contact Form 7 plugin [1]. Users are strongly advised to update immediately to the latest version. For sites that cannot be updated promptly, consider disabling the plugin or restricting contributor-level access as a temporary workaround. The vulnerability is tracked with a CVSS v3 score of 6.5 (Medium severity).