How to fix CVE-2025-8280?

Within 30 days: Identify affected systems and apply vendor patches as part of regular patch cycle. Verify Content-Security-Policy and output encoding.

Is PHP affected by CVE-2025-8280?

CVE-2025-8280 presents moderate security risk, a cross-site scripting vulnerability rated CVSS 5.8. Attackers could inject scripts to steal sessions or perform actions as authenticated users. Proof-of-concept code is publicly available.

CVE-2025-8280

MEDIUM

2025-09-12 [email protected]

XSS WordPress PHP Contact Form 7 Recaptcha

5.8

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:L

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

Required

Scope

Changed

Confidentiality

Low

Integrity

Low

Availability

Low

Lifecycle Timeline

Analysis Generated

Mar 16, 2026 - 18:30 vuln.today

PoC Detected

Mar 16, 2026 - 18:23 vuln.today

Public exploit code

CVE Published

Sep 12, 2025 - 06:15 nvd

MEDIUM 5.8

DescriptionNVD

The Contact Form 7 reCAPTCHA WordPress plugin through 1.2.0 does not escape the $_SERVER['REQUEST_URI'] parameter before outputting it back in an attribute, which could lead to Reflected Cross-Site Scripting in old web browsers.

AnalysisAI

The Contact Form 7 reCAPTCHA WordPress plugin through version 1.2.0 contains a reflected cross-site scripting (XSS) vulnerability caused by improper handling of the REQUEST_URI server variable. An attacker can craft a malicious URL containing JavaScript payload that, when clicked by a user in vulnerable browsers, executes arbitrary code in the victim's session with access to form data and site functionality. While a public proof-of-concept exists and the vulnerability affects all versions through 1.2.0, the low EPSS score (0.04%, percentile 12%) and requirement for user interaction and older browser targets suggest limited real-world exploitation likelihood despite the moderate CVSS 5.8 score.

Technical ContextAI

The vulnerability resides in the Contact Form 7 reCAPTCHA plugin (CPE: cpe:2.3:a:iambriansreed:contact_form_7_recaptcha:*:*:*:*:*:wordpress:*:*), a WordPress extension that integrates reCAPTCHA protection into contact forms. The root cause is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation), a fundamental cross-site scripting weakness. The plugin fails to properly escape or sanitize the $_SERVER['REQUEST_URI'] PHP superglobal before embedding it into HTML attributes, allowing attackers to break out of the intended attribute context and inject malicious scripts. This is particularly dangerous in WordPress environments where form data often contains sensitive user information. The vulnerability is particularly impactful in older browsers that may not enforce strict Content Security Policy or have less robust XSS protections.

RemediationAI

Immediately upgrade the Contact Form 7 reCAPTCHA plugin to version 1.2.1 or later if available from the vendor, or disable the plugin if no patched version is accessible. Organizations managing multiple WordPress installations should automate plugin updates through WordPress core update mechanisms or security-focused management tools. As an interim mitigation prior to patching, implement Web Application Firewall (WAF) rules to filter REQUEST_URI parameters containing script tags or encoded JavaScript payloads, and enforce HTTP Content Security Policy headers with script-src directives limited to trusted sources. Additionally, restrict plugin functionality to authenticated users only where feasible, and disable the plugin entirely for sites not actively using reCAPTCHA protection on contact forms. Consult the vendor advisory at https://wpscan.com/vulnerability/f8370026-6293-4814-961f-c254ee8e844d/ for patch availability confirmation and timeline.

CVE-2025-8280 vulnerability details – vuln.today

Back