CVE-2025-5123 is a stored cross-site scripting vulnerability classified under CWE-79, found in the Contact Us Page – Contact People plugin for WordPress developed by a3rev. The vulnerability arises from improper neutralization of input during web page generation, specifically through the 'style' parameter. All versions up to and including 3.7.4 are affected. Authenticated attackers with Contributor-level privileges or higher can inject arbitrary JavaScript code into pages by exploiting insufficient input sanitization and lack of output escaping. When other users access the infected pages, the malicious scripts execute in their browsers, potentially compromising session tokens, redirecting users, or performing actions on behalf of the victim. The vulnerability has a CVSS 3.1 base score of 6.4, reflecting network attack vector, low attack complexity, required privileges, no user interaction, and partial impact on confidentiality and integrity. No patches or fixes are currently linked, and no known exploits have been reported in the wild. This vulnerability highlights the risks of insufficient input validation in WordPress plugins, especially those that allow authenticated users to submit content that is rendered to others.

The primary impact of CVE-2025-5123 is the potential compromise of user confidentiality and integrity on affected WordPress sites. Exploitation allows attackers to execute arbitrary scripts in the context of other users, which can lead to session hijacking, theft of sensitive information, unauthorized actions, or defacement of website content. Since the vulnerability requires authenticated access at Contributor level or above, the threat is limited to environments where such user roles exist and are potentially compromised or malicious. However, the scope is significant because many WordPress sites use this plugin, and contributors are common roles in content management workflows. The vulnerability does not affect availability directly but can undermine trust and lead to reputational damage. Organizations relying on this plugin for customer interaction or lead generation may face data leakage or unauthorized data manipulation. The absence of known exploits reduces immediate risk but does not eliminate the threat, especially as attackers often develop exploits post-disclosure.

1. Immediately restrict Contributor-level user permissions to trusted individuals only, minimizing the risk of malicious input submission. 2. Monitor and audit Contributor and higher-level user activities for suspicious behavior or unexpected content changes. 3. Implement Web Application Firewall (WAF) rules to detect and block suspicious input patterns targeting the 'style' parameter or script injections in the plugin's pages. 4. Apply manual input sanitization or output escaping if plugin source code modification is feasible, focusing on the 'style' parameter to neutralize script tags or event handlers. 5. Regularly update the plugin once a patch or official fix is released by the vendor. 6. Educate site administrators and contributors about the risks of XSS and safe content submission practices. 7. Consider temporarily disabling the plugin or replacing it with a secure alternative if immediate patching is not possible. 8. Employ Content Security Policy (CSP) headers to restrict script execution sources, mitigating impact if exploitation occurs.