CVE-2025-27303
📋 TL;DR
This stored cross-site scripting (XSS) vulnerability in the Contact Form 7 Star Rating WordPress plugin allows attackers to inject malicious scripts into web pages. When exploited, these scripts execute in visitors' browsers, potentially stealing session cookies or redirecting users to malicious sites. All WordPress sites using Contact Form 7 Star Rating versions up to 1.10 are affected.
💻 Affected Systems
- Contact Form 7 Star Rating WordPress Plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal administrator session cookies, take over WordPress sites, deface websites, or redirect visitors to malware distribution sites.
Likely Case
Attackers inject malicious JavaScript to steal user session data, perform actions on behalf of users, or display phishing content.
If Mitigated
With proper input validation and output encoding, malicious scripts would be neutralized before execution, preventing exploitation.
🎯 Exploit Status
As a stored XSS vulnerability, exploitation requires submitting malicious input through the star rating form, which then gets stored and served to other users.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.11 or later
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Contact Form 7 Star Rating' and click 'Update Now'. 4. Verify the plugin version is 1.11 or higher.
🔧 Temporary Workarounds
Disable Plugin
allTemporarily deactivate the Contact Form 7 Star Rating plugin until patched
wp plugin deactivate contact-form-7-star-rating
Remove Plugin
allCompletely remove the vulnerable plugin from the WordPress installation
wp plugin delete contact-form-7-star-rating
🧯 If You Can't Patch
- Implement a web application firewall (WAF) with XSS protection rules
- Add Content Security Policy (CSP) headers to restrict script execution sources
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel → Plugins → Installed Plugins for Contact Form 7 Star Rating versionCheck Version:
wp plugin get contact-form-7-star-rating --field=versionVerify Fix Applied:
Verify plugin version is 1.11 or higher in WordPress admin panel📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to star rating submission endpoints
- JavaScript payloads in form submissions
Network Indicators:
- Malicious script tags in HTTP responses from star rating pages
SIEM Query:
source="wordpress.log" AND "contact-form-7-star-rating" AND ("script" OR "javascript" OR "onerror" OR "onload")