Cross-site Scripting Flaw in NotFound Contact Form 7 Round Robin Lead Distribution
CVE-2025-23812

7.1HIGH

Key Information:

Vendor: WordPress
Status: Contact Form 7 Round Robin Lead Distribution
Vendor: CVE Published:; 22 January 2025

What is CVE-2025-23812?

The NotFound Contact Form 7 Round Robin Lead Distribution plugin is susceptible to a vulnerability that allows for Reflected Cross-site Scripting (XSS) attacks. An attacker could exploit this flaw by injecting malicious scripts into web pages generated by the plugin, impacting users who visit those pages. All versions from the initial release to 1.2.1 are affected, making it crucial for users to update their installations to mitigate potential exploitation risks.

Affected Version(s)

Contact Form 7 Round Robin Lead Distribution <= 1.2.1

References

https://patchstack.com/database/wordpress/plugin/contact-...

vdb-entry

CVSS V3.1

Score:

7.1

Severity:

HIGH

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jan 22, 2025
Vulnerability Reserved
Jan 16, 2025

Credit

0xd4rk5id3 (Patchstack Alliance)