CVE-2025-58989

The Dynamic Text Field For Contact Form 7 plugin for WordPress suffers from a stored cross-site scripting (XSS) vulnerability due to improper neutralization of user input during web page generation [1]. In versions up to and including 1.0, the plugin fails to sanitize and escape dynamic text fields, allowing an attacker to embed arbitrary JavaScript that persists on the site.

Exploitation requires a privileged user—such as a site administrator or editor—to perform an action, like clicking a malicious link or submitting a crafted form [1]. Once triggered, the injected script becomes part of a page and executes automatically when any visitor loads that page. This user interaction diminishes the attack vector but does not eliminate the risk.

If successfully exploited, an attacker can inject scripts that perform redirects, display advertisements, or steal session tokens and other sensitive data from site visitors [1]. The payloads can be used to deface pages, launch phishing attacks, or compromise additional accounts.

The vulnerability is patched in version 1.1 of the plugin; users are strongly advised to update immediately [1]. While the vendor rates the severity as low and exploitation as unlikely, this type of stored XSS is commonly targeted in mass exploitation campaigns against WordPress sites [1].