PHP
CVE-2025-8280
MEDIUM
Severity by source
AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
3DescriptionCVE.org
The Contact Form 7 reCAPTCHA WordPress plugin through 1.2.0 does not escape the $_SERVER['REQUEST_URI'] parameter before outputting it back in an attribute, which could lead to Reflected Cross-Site Scripting in old web browsers.
AnalysisAI
The Contact Form 7 reCAPTCHA WordPress plugin through version 1.2.0 contains a reflected cross-site scripting (XSS) vulnerability caused by improper handling of the REQUEST_URI server variable. An attacker can craft a malicious URL containing JavaScript payload that, when clicked by a user in vulnerable browsers, executes arbitrary code in the victim's session with access to form data and site functionality. While a public proof-of-concept exists and the vulnerability affects all versions through 1.2.0, the low EPSS score (0.04%, percentile 12%) and requirement for user interaction and older browser targets suggest limited real-world exploitation likelihood despite the moderate CVSS 5.8 score.
Technical ContextAI
The vulnerability resides in the Contact Form 7 reCAPTCHA plugin (CPE: cpe:2.3:a:iambriansreed:contact_form_7_recaptcha:*:*:*:*:*:wordpress:*:*), a WordPress extension that integrates reCAPTCHA protection into contact forms. The root cause is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation), a fundamental cross-site scripting weakness. The plugin fails to properly escape or sanitize the $_SERVER['REQUEST_URI'] PHP superglobal before embedding it into HTML attributes, allowing attackers to break out of the intended attribute context and inject malicious scripts. This is particularly dangerous in WordPress environments where form data often contains sensitive user information. The vulnerability is particularly impactful in older browsers that may not enforce strict Content Security Policy or have less robust XSS protections.
RemediationAI
Immediately upgrade the Contact Form 7 reCAPTCHA plugin to version 1.2.1 or later if available from the vendor, or disable the plugin if no patched version is accessible. Organizations managing multiple WordPress installations should automate plugin updates through WordPress core update mechanisms or security-focused management tools. As an interim mitigation prior to patching, implement Web Application Firewall (WAF) rules to filter REQUEST_URI parameters containing script tags or encoded JavaScript payloads, and enforce HTTP Content Security Policy headers with script-src directives limited to trusted sources. Additionally, restrict plugin functionality to authenticated users only where feasible, and disable the plugin entirely for sites not actively using reCAPTCHA protection on contact forms. Consult the vendor advisory at https://wpscan.com/vulnerability/f8370026-6293-4814-961f-c254ee8e844d/ for patch availability confirmation and timeline.
More from same product – last 7 days
Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce
Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a
Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to
Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot
Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo
Share
External POC / Exploit Code
Leaving vuln.today