Reflected Cross-Site Scripting in Contact Form 7 reCAPTCHA Plugin for WordPress
CVE-2025-8280
Key Information:
- Vendor
WordPress
- Status
- Vendor
- CVE Published:
- 12 September 2025
Badges
What is CVE-2025-8280?
The Contact Form 7 reCAPTCHA plugin for WordPress, up to version 1.2.0, is susceptible to reflected cross-site scripting (XSS) attacks. This vulnerability arises because the plugin fails to properly escape the data from the $_SERVER['REQUEST_URI'] parameter before rendering it within an HTML attribute. Attackers could exploit this flaw, particularly in older web browsers, enabling them to inject malicious scripts into web pages viewed by users. As a result, unsuspecting users could potentially be tricked into executing harmful scripts, compromising their data and security.
Affected Version(s)
Contact Form 7 reCAPTCHA 0 <= 1.2.0
Exploit Proof of Concept (PoC)
PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.