CVE-2025-68863

The iContact for Gravity Forms WordPress plugin, versions 1.3.2 and earlier, contains a reflected cross-site scripting (XSS) vulnerability due to improper neutralization of user-supplied input during web page generation [1]. This flaw allows an attacker to inject arbitrary HTML and JavaScript into a response, which is then executed in the victim's browser.

Exploitation requires a privileged user, such as an administrator, to perform an action like clicking a malicious link or visiting a crafted page [1]. The attacker does not need authentication but must trick the target into interacting with the crafted request. This makes the vulnerability suitable for mass-exploit campaigns targeting thousands of sites regardless of size or popularity [1].

Successful exploitation enables the attacker to inject malicious scripts, including redirects, advertisements, and other HTML payloads, which execute when visitors access the affected site [1]. This could lead to site defacement, credential theft, or further compromise of the WordPress installation.

As of the advisory, no official patch has been released, but Patchstack has issued a mitigation rule to block attacks until an update can be applied [1]. Users are strongly advised to update the plugin to the latest available version or implement a virtual patch to protect their sites.