CVE-2025-58961 identifies a DOM-based Cross-site Scripting (XSS) vulnerability in the kamleshyadav CF7 Auto Responder Addon, a WordPress plugin designed to automate responses for Contact Form 7 submissions. The vulnerability arises from improper neutralization of user-supplied input during web page generation, allowing malicious scripts to be injected and executed in the context of the victim's browser. This type of XSS is particularly dangerous because it manipulates the Document Object Model (DOM) on the client side, bypassing some traditional server-side input validation mechanisms. The affected versions include all releases up to and including 2.4, with no specific earliest version identified. The vulnerability requires no authentication but does require user interaction, such as clicking a crafted link or visiting a malicious page that triggers the payload. The CVSS 3.1 base score of 7.1 reflects a network attack vector, low attack complexity, no privileges required, user interaction needed, and a scope change, with partial impacts on confidentiality, integrity, and availability. While no known exploits are currently reported in the wild, the widespread use of Contact Form 7 and its addons in WordPress sites makes this a significant threat. The vulnerability could be leveraged to steal session cookies, perform actions on behalf of users, or inject malicious content, potentially leading to further compromise of web applications or user data.

For European organizations, especially those relying on WordPress websites with the CF7 Auto Responder Addon, this vulnerability poses a significant risk. Successful exploitation could lead to theft of user credentials or session tokens, unauthorized actions performed on behalf of users, defacement of websites, or distribution of malware. This can damage organizational reputation, lead to regulatory non-compliance (e.g., GDPR breaches due to data leakage), and cause operational disruptions. E-commerce platforms, government portals, and service providers using this plugin are particularly vulnerable, as attackers could target customers or employees to gain deeper access. The partial impact on confidentiality, integrity, and availability means attackers can manipulate data and disrupt services, potentially affecting business continuity and trust. Given the plugin’s integration with contact forms, attackers might also exploit this vector to target internal users or customers, increasing the attack surface.

Immediate mitigation should focus on disabling or removing the vulnerable CF7 Auto Responder Addon until a vendor patch is released. Organizations should monitor official channels for updates or patches from the plugin developer. In the interim, implement strict Content Security Policies (CSP) to restrict script execution sources and reduce the impact of injected scripts. Employ Web Application Firewalls (WAFs) with custom rules to detect and block suspicious payloads targeting the vulnerable plugin. Conduct thorough input validation and output encoding on all user-supplied data within the website’s custom code to prevent DOM-based XSS. Additionally, educate users and administrators about the risks of clicking unknown links or interacting with untrusted content. Regularly audit and update all WordPress plugins and themes to minimize exposure to known vulnerabilities. For organizations with high-risk profiles, consider isolating critical web applications or using security plugins that provide enhanced XSS protection.