Stored Cross-Site Scripting Vulnerability in WordPress Contact Form Plugin
CVE-2025-3201

5.9MEDIUM

Key Information:

Vendor: WordPress
Status: Contact Form Builder With Drag & Drop For WordPress
Vendor: CVE Published:; 16 May 2025

Badges

👾 Exploit Exists🟡 Public PoC

What is CVE-2025-3201?

The Contact Form Builder plugin for WordPress versions prior to 2.4.3 contains a vulnerability that fails to properly sanitize and escape certain settings. This imperfection potentially allows high privileged users, such as contributors, to execute Stored Cross-Site Scripting (XSS) attacks. Such attacks can lead to the injection of malicious scripts, posing risks to users and the integrity of the website.

Affected Version(s)

Contact Form builder with drag & drop for WordPress 0 < 2.4.3

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2025-3201 - Proof of Concept

References

https://wpscan.com/vulnerability/4248289f-36d2-41c5-baf6-...

exploitvdb-entrytechnical-description

CVSS V3.1

Score:

5.9

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

🟡
Public PoC available
May 16, 2025
👾
Exploit known to exist
May 16, 2025
Vulnerability published
May 16, 2025
Vulnerability Reserved
Apr 3, 2025

Credit

Dmitrii Ignatyev

WPScan