Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in themelogger Contact Form 7 Star Rating with font Awesome contact-form-7-star-rating-with-font-awersome allows Stored XSS.This issue affects Contact Form 7 Star Rating with font Awesome: from n/a through <= 1.3.
Published: 2025-02-24
Score: 5.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises from improper neutralization of user input when generating web pages, allowing an attacker to inject malicious scripts that are stored in the system and later served to visitors. This stored XSS flaw can be exploited to execute arbitrary JavaScript in the context of authenticated visitors, potentially leading to data theft, session hijacking, or defacement. The weakness corresponds to CWE‑79.

Affected Systems

The affected product is the WordPress plugin Contact Form 7 Star Rating with font Awesome from the vendor themelogger, with all releases up to and including version 1.3. No other vendors or products are listed as impacted.

Risk and Exploitability

The CVSS score of 5.9 indicates a moderate severity level, while the EPSS score of less than 1% reflects a very low but non‑zero likelihood of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. Based on the stored nature of the flaw, the attack vector is inferred to be through user‑controlled fields within the plugin’s form or rating components, where input is persisted and later rendered to other site users.

Generated by OpenCVE AI on May 1, 2026 at 15:47 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Contact Form 7 Star Rating with font Awesome plugin to a version newer than 1.3 or apply the vendor’s patch if available
  • If no patch exists, disable the plugin until a fix is released to prevent stored malicious scripts from being persisted
  • Ensure the WordPress instance is configured to strip script tags or run content through a sanitization filter to mitigate the impact of any remaining stored XSS

Generated by OpenCVE AI on May 1, 2026 at 15:47 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-4344 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in themelogger Contact Form 7 Star Rating with font Awesome allows Stored XSS. This issue affects Contact Form 7 Star Rating with font Awesome: from n/a through 1.3.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in themelogger Contact Form 7 Star Rating with font Awesome allows Stored XSS. This issue affects Contact Form 7 Star Rating with font Awesome: from n/a through 1.3. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in themelogger Contact Form 7 Star Rating with font Awesome contact-form-7-star-rating-with-font-awersome allows Stored XSS.This issue affects Contact Form 7 Star Rating with font Awesome: from n/a through <= 1.3.
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L'}

Mon, 24 Feb 2025 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 24 Feb 2025 15:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in themelogger Contact Form 7 Star Rating with font Awesome allows Stored XSS. This issue affects Contact Form 7 Star Rating with font Awesome: from n/a through 1.3.
Title WordPress Contact Form 7 Star Rating with font Awesome plugin <= 1.3 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:47.564Z

Reserved: 2025-02-21T16:45:34.056Z

Link: CVE-2025-27304

cve-icon Vulnrichment

Updated: 2025-02-24T16:57:57.200Z

cve-icon NVD

Status : Deferred

Published: 2025-02-24T15:15:16.260

Modified: 2026-06-17T09:03:22.103

Link: CVE-2025-27304

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T16:00:16Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')