CVE-2025-13975 is a stored Cross-Site Scripting (XSS) vulnerability classified under CWE-79, found in the Contact Form 7 with ChatWork plugin for WordPress. The flaw arises from improper input sanitization and output escaping of the 'api_token' and 'roomid' settings, which are used to configure the plugin's integration with ChatWork. This vulnerability affects all versions up to and including 1.1.0. Exploitation requires an attacker to have authenticated administrator-level access on a WordPress multisite installation or on installations where the 'unfiltered_html' capability is disabled, which restricts the ability to post unfiltered HTML content. An attacker can inject arbitrary JavaScript code into these settings, which is then stored and executed whenever a user accesses the plugin's settings page. This stored XSS can lead to session hijacking, privilege escalation, or other malicious actions depending on the injected payload. The vulnerability has a CVSS 3.1 base score of 4.4, reflecting its medium severity, with an attack vector of network, high attack complexity, requiring privileges, no user interaction, and a scope change. No patches or exploits are currently publicly available, but the risk remains for affected multisite WordPress environments using this plugin. The vulnerability is particularly relevant for environments where administrative users frequently access plugin settings, increasing the chance of script execution.

For European organizations, this vulnerability poses a moderate risk primarily to WordPress multisite installations using the Contact Form 7 with ChatWork plugin. If exploited, attackers with administrative access could inject malicious scripts that execute in the context of the plugin settings page, potentially leading to theft of administrative session tokens, unauthorized actions within the WordPress dashboard, or further compromise of the site. This could result in data confidentiality breaches, integrity violations through unauthorized content changes, and potential lateral movement within the network. Although the vulnerability does not directly affect availability, the resulting compromise could lead to defacement or disruption of services. Organizations in sectors with strict data protection regulations, such as finance, healthcare, and government, could face compliance risks and reputational damage if exploited. The requirement for administrator privileges limits the attack surface but does not eliminate risk, especially in environments with multiple administrators or where credential compromise is possible.

To mitigate CVE-2025-13975, European organizations should: 1) Immediately audit WordPress multisite installations to identify use of the Contact Form 7 with ChatWork plugin and verify the version; 2) Restrict administrative access strictly to trusted personnel and enforce strong authentication mechanisms such as MFA to reduce the risk of credential compromise; 3) If a patch becomes available, apply it promptly; 4) In the absence of a patch, consider disabling or uninstalling the plugin in multisite environments or those with unfiltered_html disabled; 5) Implement Content Security Policy (CSP) headers to limit the impact of injected scripts; 6) Regularly monitor administrative pages for unexpected script injections or unusual behavior; 7) Educate administrators about the risks of stored XSS and safe configuration practices; 8) Review and harden WordPress security settings, including limiting plugin installation and configuration rights; 9) Employ web application firewalls (WAFs) with custom rules to detect and block suspicious payloads targeting plugin settings; 10) Conduct periodic security assessments focusing on plugin vulnerabilities and multisite configurations.