CVE-2025-13975 is a stored cross-site scripting vulnerability identified in the Contact Form 7 with ChatWork plugin for WordPress, affecting all versions up to and including 1.1.0. The vulnerability stems from improper neutralization of input during web page generation, specifically in the handling of the 'api_token' and 'roomid' configuration settings. These inputs are insufficiently sanitized and escaped before being rendered on the plugin's settings page. As a result, an authenticated attacker with administrator-level privileges can inject arbitrary JavaScript code that is persistently stored and executed whenever any user accesses the affected settings page. This vulnerability is constrained to multi-site WordPress installations or those where the 'unfiltered_html' capability is disabled, limiting its scope. The attack vector requires network access (remote), high attack complexity due to privilege requirements, and no user interaction is needed for exploitation. The vulnerability impacts confidentiality and integrity by potentially allowing session hijacking, privilege escalation, or unauthorized actions via injected scripts. The CVSS 3.1 base score is 4.4, reflecting a medium severity level. No patches or public exploits have been reported at the time of disclosure, but the vulnerability is publicly documented and should be addressed promptly.

The primary impact of this vulnerability is the potential for persistent cross-site scripting attacks within WordPress environments using the vulnerable plugin. An attacker with administrator privileges can inject malicious scripts that execute in the context of users accessing the plugin settings page, potentially leading to session hijacking, credential theft, or unauthorized administrative actions. This can compromise the confidentiality and integrity of the affected WordPress sites. Since the vulnerability requires administrator-level access, the risk is somewhat mitigated by the need for prior compromise or insider threat. However, in multi-site installations or environments with disabled unfiltered_html, the attack surface increases, potentially affecting multiple sites within a network. Exploitation could facilitate further lateral movement or persistence within an organization's web infrastructure. The vulnerability does not impact availability directly but can degrade trust and operational security. Organizations relying on this plugin for critical contact form and ChatWork integration functionality may face reputational damage and data breaches if exploited.

To mitigate this vulnerability, organizations should immediately update the Contact Form 7 with ChatWork plugin to a version that addresses the input sanitization and output escaping issues once available. Until a patch is released, administrators should restrict access to the plugin settings page to only highly trusted personnel and monitor for unusual administrative activity. Implementing strict role-based access controls and auditing administrator actions can reduce the risk of exploitation. Additionally, enabling Web Application Firewalls (WAFs) with rules to detect and block suspicious script injection attempts targeting the plugin's settings page can provide temporary protection. Reviewing and hardening WordPress multi-site configurations and ensuring the 'unfiltered_html' capability is only granted to trusted users will also limit exposure. Regularly scanning for stored XSS payloads in plugin settings and logs can help detect exploitation attempts. Finally, educating administrators about the risks of stored XSS and safe plugin management practices is recommended.