CVE-2025-52777

2025-07-16 [email protected]
WordPress PHP XSS

Lifecycle Timeline

2
Analysis Generated
Apr 01, 2026 - 17:43 vuln.today
CVE Published
Jul 16, 2025 - 12:15 nvd
N/A

DescriptionNVD

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in cmsMinds Pay with Contact Form 7 pay-with-contact-form-7 allows Reflected XSS.This issue affects Pay with Contact Form 7: from n/a through <= 1.0.4.

AnalysisAI

Reflected cross-site scripting (XSS) in cmsMinds Pay with Contact Form 7 WordPress plugin through version 1.0.4 allows unauthenticated remote attackers to inject malicious scripts into web pages viewed by victims. The vulnerability stems from improper input neutralization during web page generation, enabling attackers to steal session cookies, perform actions on behalf of users, or redirect users to malicious sites. No public exploit code or active exploitation has been confirmed at time of analysis, and the 0.04% EPSS score indicates very low exploitation probability.

Technical ContextAI

The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation), a fundamental web application security weakness where user-supplied input is not properly sanitized or escaped before being rendered in HTML. This plugin integrates Contact Form 7 with payment functionality, likely accepting user input through form parameters or URL query strings. The reflected XSS vector means the malicious payload is not stored in a database but rather echoed back to the user in the HTTP response, making it suitable for phishing attacks where an attacker crafts a malicious URL and tricks users into clicking it. The WordPress plugin ecosystem (CPE: cpe:2.3:a:cmsmind:pay_with_contact_form_7:*:*:*:*:*:wordpress:*:*) makes this particularly relevant given the large install base of Contact Form 7.

Affected ProductsAI

cmsMinds Pay with Contact Form 7 WordPress plugin versions from an unspecified baseline through 1.0.4. The plugin is available on the WordPress plugin repository and the vulnerability was reported to Patchstack, a WordPress security platform specializing in plugin audits.

RemediationAI

Update the Pay with Contact Form 7 plugin to a version later than 1.0.4 immediately. Users should navigate to their WordPress dashboard, go to Plugins > Installed Plugins, and update the plugin to the latest available version once released by the vendor. As a temporary precaution while awaiting a patched release, site administrators should disable the plugin if it is not actively required, or restrict access to the payment form to authenticated users only if feasible. Further details and confirmation of patched versions are available via the Patchstack vulnerability database entry referenced in the advisory.

Share

CVE-2025-52777 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy