Stored Cross-Site Scripting Vulnerability in Contact Form 7 with ChatWork Plugin for WordPress
CVE-2025-13975

4.4MEDIUM

Key Information:

Vendor: WordPress
Status: Contact Form 7 With Chatwork
Vendor: CVE Published:; 12 December 2025

What is CVE-2025-13975?

The Contact Form 7 with ChatWork plugin for WordPress exhibits a vulnerability that allows authenticated attackers, possessing administrator-level access, to inject arbitrary web scripts through the 'api_token' and 'roomid' settings. This issue arises from inadequate input sanitization and output escaping, particularly in environments using multi-site installations or where the ability to filter HTML is disabled. When successfully exploited, any user accessing the settings page can have their session compromised, leading to unintended actions or data exposure.

Affected Version(s)

Contact Form 7 with ChatWork * <= 1.1.0

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/contact-form-7...

CVSS V3.1

Score:

4.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

High

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Dec 12, 2025
Vulnerability Reserved
Dec 3, 2025

Credit

Yahya Oumani

JSON