CVE-2025-25127

Vulnerability

Details The Contact Us By Lord Linus WordPress plugin, in versions up to and including 2.6, contains a reflected cross-site scripting (XSS) vulnerability due to improper neutralization of user-supplied input during web page generation. This means the plugin fails to sanitize or escape certain parameters before including them in output, enabling an attacker to inject arbitrary HTML or JavaScript into the page.

Exploitation

Scenario Exploitation requires user interaction: an attacker must trick a logged-in administrator or other privileged user into clicking a crafted link or visiting a specially prepared page. No authentication is required from the attacker, but the target user must be authenticated and have sufficient privileges to trigger the vulnerable functionality. The attack vector is network-based, with low complexity and no privileges required from the attacker beyond an understanding of the target's website.

The reflected XSS can be delivered via a malicious URL that, when visited by the victim, executes the injected script in the context of the vulnerable WordPress site [1].

Impact

Successful exploitation could allow an attacker to inject malicious scripts, such as redirects, advertisements, or other HTML payloads, that execute when other users visit the site. This could lead to session hijacking, defacement, or redirection to malicious websites [1].

Mitigation

Status As of the advisory publication, there is no official patch available. The recommended immediate action is to update the plugin if a patched version becomes available. In the interim, users can apply a mitigation rule available from Patchstack to block exploitation attempts until an official fix is released and safely tested [1]. This vulnerability is considered moderately dangerous and is expected to be used in mass-exploit campaigns targeting WordPress sites [1].