The Contact Form 7 with ChatWork plugin for WordPress contains a stored cross‑site scripting flaw caused by inadequate sanitization of the 'api_token' and 'roomid' fields. This weakness, identified as CWE‑79, allows authenticated users who have at least administrator privileges to inject malicious JavaScript that will run whenever another user visits the plugin settings page. The scripts execute with the same privileges as the viewer, potentially enabling further privilege escalation or data theft within the WordPress installation.

The vulnerability exists in all releases of the izuchy Contact Form 7 with ChatWork plugin up to and including version 1.1.0. It affects multi‑site WordPress installations and only impacts sites where the unfiltered_html capability has been disabled. Sites using newer plugin versions are not affected.

The CVSS score of 4.4 indicates a moderate risk level. The EPSS score of less than 1 % implies a very low exploitation probability at present, and the flaw is not listed in the CISA KEV catalog. The flaw requires authenticated access with administrator or higher privilege, so it is not exploitable by unauthenticated actors. An attacker would need to compromise an administrator account or a highly privileged role, then inject script code into the settings page, which would subsequently be executed by other site users who view that page.