CVE-2025-47518

Vulnerability

Overview

The Contact Form 7 – PayPal & Stripe Add-on for WordPress suffers from a Stored Cross-Site Scripting (XSS) vulnerability due to improper neutralization of user input during web page generation [1]. Versions from n/a up to and including 2.3.4 are affected. The root cause is that the plugin fails to sanitize or escape certain inputs before storing them in the database, allowing script payloads to persist.

Exploitation

Prerequisites

Exploitation requires a privileged user role (e.g., administrator or editor) to submit a crafted form or perform an action that injects malicious script code [1]. While the attack originates from an authenticated user, the injected script executes in the context of any visitor who views the affected page, meaning the attacker does not need unauthenticated access to trigger the stored payload on other users' browsers.

Impact

A successful stored XSS attack can allow an attacker to inject arbitrary JavaScript, which may be used to redirect visitors, display unwanted advertisements, steal session cookies, or perform other malicious actions within the context of the victim's browser [1]. The CVSS v3 base score is 5.9 (Medium), reflecting the need for authentication but the potential for broad impact on site visitors.

Mitigation

The vulnerability has been fixed in version 2.4.1 of the plugin [1]. Users are strongly advised to update immediately or enable auto-updates for the plugin via Patchstack [1]. As of the publication date, no workaround is detailed; updating is the recommended and only mitigation path.