CVE-2025-6756 is a stored cross-site scripting vulnerability classified under CWE-79, found in the Ultra Addons for Contact Form 7 plugin for WordPress. This vulnerability exists due to insufficient sanitization and escaping of user-supplied input in the UACF7_CUSTOM_FIELDS shortcode, which is used to add custom fields to forms. Authenticated attackers with contributor-level access or higher can exploit this flaw by injecting arbitrary JavaScript code into pages that utilize this shortcode. Because the malicious script is stored persistently, it executes in the context of any user who visits the affected page, potentially compromising user sessions, stealing cookies, or performing actions on behalf of users without their consent. The vulnerability affects all versions up to and including 3.5.21. The CVSS v3.1 base score is 6.4, reflecting a medium severity with network attack vector, low attack complexity, requiring privileges but no user interaction, and impacting confidentiality and integrity with a scope change. No patches or official fixes have been linked yet, and no known exploits are reported in the wild. The vulnerability highlights the risks of improper input validation in WordPress plugins, especially those that handle user-generated content and shortcode processing.

This vulnerability can lead to significant security risks for organizations running WordPress sites with the affected Ultra Addons for Contact Form 7 plugin. An attacker with contributor-level access can inject malicious scripts that execute in the browsers of site visitors and administrators, potentially leading to session hijacking, credential theft, defacement, or unauthorized actions performed with elevated privileges. The compromise of administrative accounts could lead to full site takeover, data leakage, or further malware deployment. Since the vulnerability requires authenticated access, the risk is somewhat mitigated by access controls, but many WordPress sites allow contributor or author roles for content creation, increasing exposure. The scope of impact includes any organization using this plugin, especially those with multiple contributors or public-facing content management. The medium severity rating reflects the balance between required privileges and the potential damage. The absence of known exploits suggests limited active exploitation currently, but the vulnerability remains a credible threat if weaponized.

Organizations should immediately audit their WordPress installations for the presence of the Ultra Addons for Contact Form 7 plugin and verify the version in use. Until an official patch is released, administrators should consider the following mitigations: 1) Restrict contributor-level and higher access to trusted users only, minimizing the risk of malicious script injection. 2) Disable or remove the UACF7_CUSTOM_FIELDS shortcode usage in content to prevent exploitation. 3) Implement Web Application Firewall (WAF) rules to detect and block suspicious script injection patterns related to this shortcode. 4) Employ Content Security Policy (CSP) headers to limit the execution of unauthorized scripts in browsers. 5) Monitor logs and user activity for unusual behavior indicative of exploitation attempts. 6) Once a patch is available, promptly apply updates to the plugin. 7) Educate content contributors about safe input practices and the risks of injecting untrusted code. These steps go beyond generic advice by focusing on access control, shortcode usage, and layered defenses.