CVE-2025-5123 is a stored Cross-Site Scripting (XSS) vulnerability affecting the 'Contact Us Page – Contact People' WordPress plugin developed by a3rev, present in all versions up to and including 3.7.4. The vulnerability arises from improper neutralization of input during web page generation, specifically involving the 'style' parameter. Authenticated users with Contributor-level privileges or higher can exploit this flaw by injecting malicious JavaScript code into the plugin's pages. Because the injected script is stored persistently, it executes whenever any user accesses the compromised page, potentially affecting site administrators, editors, and visitors. The vulnerability is classified under CWE-79, indicating insufficient input sanitization and output escaping. The CVSS v3.1 base score is 6.4 (medium severity), with an attack vector of network (remote exploitation), low attack complexity, requiring privileges (Contributor or above), no user interaction, and a scope change. The impact affects confidentiality and integrity but not availability. No known exploits are currently reported in the wild, and no official patches have been released at the time of this report. The vulnerability allows attackers to execute arbitrary scripts, which can lead to session hijacking, privilege escalation, defacement, or distribution of malware within affected WordPress sites using this plugin.

For European organizations, this vulnerability poses a significant risk, particularly for those relying on WordPress sites with the a3rev 'Contact Us Page – Contact People' plugin installed. Since exploitation requires authenticated access with Contributor-level permissions, insider threats or compromised user accounts are primary vectors. Successful exploitation can lead to unauthorized disclosure of sensitive information (confidentiality impact) and unauthorized modification of site content or user data (integrity impact). This can damage organizational reputation, lead to data breaches under GDPR regulations, and potentially facilitate further attacks such as phishing or malware distribution. The scope change in the CVSS vector indicates that exploitation can affect components beyond the initially vulnerable plugin, potentially impacting the entire WordPress site. Given the widespread use of WordPress in Europe across various sectors including government, education, and SMEs, the vulnerability could have broad implications. However, the absence of availability impact reduces the risk of service disruption. Organizations with strict compliance requirements and public-facing websites are particularly vulnerable to reputational and regulatory consequences.

1. Immediate mitigation involves restricting Contributor-level access to trusted users only and auditing existing user privileges to minimize the risk of insider exploitation. 2. Implement Web Application Firewall (WAF) rules specifically targeting suspicious 'style' parameter inputs and known XSS payload patterns related to this plugin. 3. Employ Content Security Policy (CSP) headers to restrict the execution of inline scripts and reduce the impact of injected scripts. 4. Regularly monitor WordPress plugin updates from a3rev and apply patches promptly once released. 5. Conduct thorough input validation and output encoding on all user-supplied data within the plugin, if custom modifications are possible. 6. Use security plugins that can detect and sanitize stored XSS attempts in WordPress environments. 7. Educate site administrators and content contributors about the risks of XSS and the importance of secure content management practices. 8. Perform periodic security audits and penetration testing focusing on authenticated user roles and plugin vulnerabilities.