Cross-site Scripting Flaw in NotFound Contact Form 7 Round Robin Lead Distribution
CVE-2025-23812

7.1HIGH

Key Information:

Vendor: Notfound
Status: Contact Form 7 Round Robin Lead Distribution
Vendor: CVE Published:; 22 January 2025

Summary

The NotFound Contact Form 7 Round Robin Lead Distribution plugin is susceptible to a vulnerability that allows for Reflected Cross-site Scripting (XSS) attacks. An attacker could exploit this flaw by injecting malicious scripts into web pages generated by the plugin, impacting users who visit those pages. All versions from the initial release to 1.2.1 are affected, making it crucial for users to update their installations to mitigate potential exploitation risks.

Affected Version(s)

Contact Form 7 Round Robin Lead Distribution <= 1.2.1

References

https://patchstack.com/database/wordpress/plugin/contact-...

vdb-entry

CVSS V3.1

Score:

7.1

Severity:

HIGH

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Jan 22, 2025
Vulnerability Reserved
Jan 16, 2025

Credit

0xd4rk5id3 (Patchstack Alliance)