CVE-2025-6756
📋 TL;DR
This stored XSS vulnerability in the Ultra Addons for Contact Form 7 WordPress plugin allows authenticated attackers with contributor-level access or higher to inject malicious scripts into website pages. The scripts execute whenever users visit compromised pages, potentially stealing credentials or performing unauthorized actions. All WordPress sites using vulnerable plugin versions are affected.
💻 Affected Systems
- Ultimate Addons for Contact Form 7 WordPress plugin
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers gain administrative access, deface websites, steal sensitive user data, or install backdoors for persistent access.
Likely Case
Session hijacking, credential theft from users visiting infected pages, or redirection to malicious sites.
If Mitigated
Limited to low-privilege user compromise if proper input validation and output escaping are implemented.
🎯 Exploit Status
Exploitation requires authenticated access but is straightforward once credentials are obtained.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.5.22 or later
Vendor Advisory: https://wordpress.org/plugins/ultimate-addons-for-contact-form-7/#developers
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Ultimate Addons for Contact Form 7'. 4. Click 'Update Now' if available. 5. Alternatively, download version 3.5.22+ from WordPress repository and manually update.
🔧 Temporary Workarounds
Disable vulnerable shortcode
allRemove or disable the UACF7_CUSTOM_FIELDS shortcode usage across the site
Edit WordPress pages/posts to remove [UACF7_CUSTOM_FIELDS] shortcode references
Restrict user roles
allTemporarily remove contributor-level access until patching
Navigate to Users → All Users in WordPress admin, downgrade contributor roles to subscriber
🧯 If You Can't Patch
- Disable the entire Ultimate Addons for Contact Form 7 plugin
- Implement web application firewall rules to block XSS payloads targeting the vulnerable shortcode
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Installed Plugins, find 'Ultimate Addons for Contact Form 7' and verify version is 3.5.21 or lower.Check Version:
wp plugin list --name='ultimate-addons-for-contact-form-7' --field=versionVerify Fix Applied:
Confirm plugin version is 3.5.22 or higher in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to WordPress admin-ajax.php with UACF7_CUSTOM_FIELDS parameters
- Multiple failed login attempts followed by successful contributor-level login
Network Indicators:
- HTTP requests containing script tags in UACF7_CUSTOM_FIELDS parameters
- Outbound connections to suspicious domains from WordPress pages
SIEM Query:
source="wordpress.log" AND ("UACF7_CUSTOM_FIELDS" AND ("script" OR "onerror" OR "javascript:"))🔗 References
- https://plugins.trac.wordpress.org/browser/ultimate-addons-for-contact-form-7/tags/3.5.21/addons/dynamic-text/inc/shortcode.php#L113
- https://plugins.trac.wordpress.org/changeset/3319449/
- https://wordpress.org/plugins/ultimate-addons-for-contact-form-7/#developers
- https://www.wordfence.com/threat-intel/vulnerabilities/id/5b839658-c472-40f0-855f-7201baeb790f?source=cve
