CVE-2025-6212 is a high-severity Stored Cross-Site Scripting (XSS) vulnerability affecting the Ultra Addons for Contact Form 7 WordPress plugin, specifically versions 3.5.11 through 3.5.19. The vulnerability arises from improper input sanitization and output escaping in the plugin's Database module. Specifically, unfiltered field names are stored alongside sanitized values in the database. When an admin-side AJAX endpoint (ajax_get_table_data()) is called, it returns these raw, unsanitized field names as JSON column headers. The client-side DataTables renderer then injects these headers directly into the DOM without any HTML encoding or escaping. This chain of insufficient sanitization and unsafe rendering enables unauthenticated attackers to inject arbitrary JavaScript code that executes whenever a user accesses the affected page. Because the vulnerability is stored, the malicious script persists in the database and affects all users who view the injected page, including administrators. The CVSS 3.1 base score is 7.2, reflecting a high severity with network attack vector, low attack complexity, no privileges or user interaction required, and a scope change. The impact includes partial confidentiality and integrity loss but no availability impact. No known exploits are reported in the wild yet, and no official patches are currently linked. The vulnerability is assigned by Wordfence and publicly disclosed on June 26, 2025.

For European organizations using WordPress sites with the Ultra Addons for Contact Form 7 plugin, this vulnerability poses a significant risk. The stored XSS can lead to session hijacking, credential theft, unauthorized actions performed with admin privileges, and potential pivoting within the network. Since the attack requires no authentication or user interaction, any visitor or automated scanner could trigger the malicious payload. This is particularly concerning for organizations with public-facing WordPress sites that handle sensitive user data or provide administrative interfaces accessible to multiple users. The compromise of administrative accounts could lead to broader site defacement, data leakage, or insertion of further malware. Given the widespread use of WordPress in Europe for government, healthcare, education, and commercial sectors, the vulnerability could be exploited to undermine trust, cause reputational damage, and violate data protection regulations such as GDPR if personal data is exposed or manipulated.

1. Immediate mitigation involves disabling or restricting access to the vulnerable ajax_get_table_data() AJAX endpoint, especially for unauthenticated users, through web application firewalls or server-level access controls. 2. Until an official patch is released, organizations should consider removing or disabling the Ultra Addons for Contact Form 7 plugin if feasible. 3. Implement strict Content Security Policy (CSP) headers to limit the execution of inline scripts and reduce the impact of XSS attacks. 4. Regularly audit and sanitize all user inputs and stored data fields, particularly those rendered in admin interfaces, to ensure no malicious scripts are stored or executed. 5. Monitor web server and application logs for unusual requests to the AJAX endpoint or suspicious payloads. 6. Educate administrators and users to recognize signs of XSS exploitation and report anomalies promptly. 7. Once available, promptly apply official patches or updates from the vendor. 8. Employ security plugins or tools that can detect and block XSS payloads in WordPress environments.