CVE-2025-6212 is a stored cross-site scripting vulnerability classified under CWE-79 affecting the Ultra Addons for Contact Form 7 plugin for WordPress, specifically versions 3.5.11 through 3.5.19. The vulnerability stems from insufficient sanitization and escaping of user-supplied input, particularly the field names stored in the database alongside sanitized values. These raw field names are later retrieved by the admin-side AJAX endpoint ajax_get_table_data() and returned as JSON column headers. The client-side DataTables JavaScript library then injects these headers directly into the DOM without any HTML encoding or escaping. Because the input is stored persistently and rendered in the admin interface, an unauthenticated attacker can inject arbitrary JavaScript code that executes whenever an administrator or user with access views the affected page. This can lead to theft of session cookies, execution of arbitrary actions with the victim’s privileges, or further compromise of the WordPress site. The vulnerability is remotely exploitable without authentication or user interaction, increasing its risk. Although no public exploits have been reported yet, the CVSS 3.1 base score of 7.2 reflects a high severity due to the ease of exploitation and potential impact on confidentiality and integrity. The vulnerability affects a widely used WordPress plugin that extends Contact Form 7 functionality, which is popular among WordPress users globally.

The impact of CVE-2025-6212 is significant for organizations using the Ultra Addons for Contact Form 7 plugin. Successful exploitation allows attackers to execute arbitrary JavaScript in the context of the victim’s browser, typically administrators or users with elevated privileges. This can lead to session hijacking, unauthorized actions within the WordPress admin panel, data theft, or deployment of further malware. Since the vulnerability is stored XSS, the malicious payload persists in the database and can affect multiple users over time. The lack of authentication requirement means attackers can exploit this remotely without credentials, increasing the attack surface. Organizations relying on this plugin for contact form enhancements risk compromise of their web infrastructure, potential defacement, data leakage, or pivoting to deeper network attacks. The vulnerability undermines the confidentiality and integrity of the affected systems but does not directly impact availability. Given WordPress’s widespread use, the threat could affect a broad range of sectors including e-commerce, education, government, and media worldwide.

To mitigate CVE-2025-6212, organizations should immediately update the Ultra Addons for Contact Form 7 plugin to a patched version once available. In the absence of an official patch, administrators should disable or remove the plugin to eliminate exposure. As a temporary workaround, restrict access to the affected AJAX endpoint ajax_get_table_data() by limiting admin panel access via IP whitelisting or web application firewall (WAF) rules. Implement strict Content Security Policy (CSP) headers to reduce the impact of injected scripts. Review and sanitize all user inputs rigorously, especially those stored and rendered in the admin interface. Monitor logs for suspicious requests targeting the AJAX endpoint or unusual admin page activity. Educate administrators to avoid clicking on suspicious links or content that could trigger the XSS payload. Regularly audit WordPress plugins for vulnerabilities and maintain a robust patch management process. Employ security plugins that can detect and block XSS attacks and anomalous admin behavior.