Cross-site Scripting Vulnerability in Contact Form 7 Editor Button by Arisoft
CVE-2025-48345

7.1HIGH

Key Information:

Vendor

WordPress
Status
Contact Form 7 Editor Button
Vendor
CVE Published:
16 July 2025

What is CVE-2025-48345?

The Contact Form 7 Editor Button by Arisoft is susceptible to a reflected Cross-site Scripting (XSS) vulnerability. This allows attackers to inject malicious scripts into web pages, posing a significant risk to site users. The issue is present in versions leading up to 1.0.0 and can be exploited during web page generation, allowing malicious code execution in the context of the user's browser.

Affected Version(s)

Contact Form 7 Editor Button <= 1.0.0

References

https://patchstack.com/database/wordpress/plugin/cf7-edit...
vdb-entry

CVSS V3.1

Score:
7.1
Severity:
HIGH
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Nguyen Xuan Chien (Patchstack Alliance)
.
CVE-2025-48345 : Cross-site Scripting Vulnerability in Contact Form 7 Editor Button by Arisoft