CVE-2025-13975 identifies a stored Cross-Site Scripting (XSS) vulnerability in the 'Contact Form 7 with ChatWork' WordPress plugin developed by izuchy. This vulnerability affects all versions up to and including 1.1.0. The root cause is insufficient sanitization and escaping of user-supplied input in the 'api_token' and 'roomid' configuration settings. An attacker with administrator-level privileges can inject arbitrary JavaScript code into these settings. Because the plugin stores these inputs and renders them on the settings page without proper neutralization, the malicious script executes whenever any user with access views the settings page. The vulnerability is limited to multi-site WordPress installations or installations where the 'unfiltered_html' capability is disabled, as these conditions affect how HTML content is filtered and rendered. The CVSS 3.1 vector (AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N) indicates that exploitation requires network access, high attack complexity, and administrator privileges, with no user interaction needed. The scope is changed because the vulnerability affects multiple components or privileges within the WordPress multi-site environment. The impact on confidentiality and integrity is low due to the limited scope of script execution, and availability is unaffected. No public exploits have been reported, but the vulnerability poses a risk of administrative interface compromise, potentially leading to further attacks such as session hijacking or privilege escalation if combined with other vulnerabilities.

For European organizations, this vulnerability primarily threatens the security of WordPress multi-site environments using the 'Contact Form 7 with ChatWork' plugin. Since exploitation requires administrator privileges, the risk is limited to insider threats or compromised admin accounts. Successful exploitation could allow attackers to execute arbitrary scripts in the administrative interface, potentially leading to theft of admin session tokens, unauthorized actions within the WordPress dashboard, or planting of further malicious payloads. This could undermine the integrity of the website management process and lead to defacement, data leakage, or pivoting to other internal systems. Given the widespread use of WordPress in Europe, especially among SMEs and public sector entities, the vulnerability could impact organizations that rely on this plugin for communication integration. The multi-site limitation narrows the affected population but does not eliminate risk for large organizations or hosting providers managing multiple sites. Additionally, organizations with strict content filtering (disabling 'unfiltered_html') are more susceptible. The medium severity rating suggests moderate risk, but the potential for chained attacks elevates the importance of timely remediation.

European organizations should immediately verify if they operate multi-site WordPress installations using the 'Contact Form 7 with ChatWork' plugin at versions up to 1.1.0. Since no official patch links are provided, administrators should consider the following mitigations: (1) Restrict administrator access strictly to trusted personnel and enforce strong authentication mechanisms such as MFA to reduce the risk of credential compromise. (2) Temporarily disable or uninstall the vulnerable plugin if feasible until a patched version is released. (3) Monitor and audit changes to plugin settings, especially the 'api_token' and 'roomid' fields, for suspicious input patterns indicative of script injection. (4) Implement Web Application Firewall (WAF) rules to detect and block malicious script payloads targeting the plugin's settings page. (5) Educate administrators about the risks of stored XSS and encourage cautious handling of plugin configurations. (6) Review and harden WordPress multi-site configurations, ensuring minimal privileges and proper content filtering settings. (7) Stay alert for vendor updates or security advisories providing patches or official fixes and apply them promptly. These steps go beyond generic advice by focusing on access control, monitoring, and configuration hardening specific to this vulnerability's context.