CVE-2025-6212
📋 TL;DR
This vulnerability allows unauthenticated attackers to inject malicious scripts into WordPress sites using the Ultra Addons for Contact Form 7 plugin. When administrators view form submission data in the plugin's database module, the injected scripts execute in their browsers. All WordPress sites running vulnerable plugin versions are affected.
💻 Affected Systems
- Ultimate Addons for Contact Form 7 WordPress Plugin
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal administrator session cookies, perform actions as administrators, redirect users to malicious sites, or install backdoors on the WordPress site.
Likely Case
Attackers inject malicious JavaScript to steal administrator credentials or session cookies, potentially gaining full control of the WordPress site.
If Mitigated
With proper Content Security Policy (CSP) headers and other web application firewalls, script execution could be blocked, limiting impact to data exposure.
🎯 Exploit Status
Exploitation requires submitting forms with malicious field names and waiting for administrators to view the data.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.5.20
Vendor Advisory: https://wordpress.org/plugins/ultimate-addons-for-contact-form-7/#developers
Restart Required: No
Instructions:
1. Log into WordPress admin panel
2. Navigate to Plugins → Installed Plugins
3. Find 'Ultimate Addons for Contact Form 7'
4. Click 'Update Now' if available
5. If not, download version 3.5.20+ from WordPress.org
6. Deactivate old version
7. Upload and activate new version
🔧 Temporary Workarounds
Disable Database Module
allTemporarily disable the vulnerable database module until patched
Navigate to Contact Form 7 → Ultimate Addons → Database → Disable
Implement Content Security Policy
allAdd CSP headers to prevent script execution from untrusted sources
Add to .htaccess: Header set Content-Security-Policy "default-src 'self'; script-src 'self'"
Or configure via WordPress security plugin
🧯 If You Can't Patch
- Disable the entire Ultimate Addons for Contact Form 7 plugin
- Implement a web application firewall (WAF) with XSS protection rules
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Ultimate Addons for Contact Form 7 → Version. If between 3.5.11 and 3.5.19, vulnerable.Check Version:
wp plugin list --name='ultimate-addons-for-contact-form-7' --field=versionVerify Fix Applied:
Verify plugin version is 3.5.20 or higher in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- Unusual form submissions with JavaScript in field names
- Multiple AJAX requests to /wp-admin/admin-ajax.php with action=ajax_get_table_data
Network Indicators:
- POST requests to contact forms containing script tags in field names
- Admin AJAX requests returning unexpected JavaScript in JSON responses
SIEM Query:
source="wordpress.log" AND ("ajax_get_table_data" OR "database-pro-main.js") AND ("<script>" OR "javascript:")🔗 References
- https://plugins.trac.wordpress.org/browser/ultimate-addons-for-contact-form-7/trunk/addons/database/assets/js/database-pro-main.js
- https://plugins.trac.wordpress.org/browser/ultimate-addons-for-contact-form-7/trunk/addons/database/database.php
- https://plugins.trac.wordpress.org/changeset/3316177/
- https://wordpress.org/plugins/ultimate-addons-for-contact-form-7/#developers
- https://www.wordfence.com/threat-intel/vulnerabilities/id/f49e48cb-7d0b-4bcf-9090-869472b8442a?source=cve
