Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in apasionados Submission DOM tracking for Contact Form 7 cf7-submission-dom-tracking allows Stored XSS.This issue affects Submission DOM tracking for Contact Form 7: from n/a through <= 2.1.
Published: 2025-05-07
Score: 5.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a stored cross‑site scripting flaw (CWE‑79) in the Submission DOM tracking for Contact Form 7 plugin, where user input is rendered on a page without proper neutralization. An attacker can submit malicious JavaScript that is saved by the plugin and later served to anyone who views the affected form. The injected script runs in the victim’s browser and can hijack sessions, deface the site, or deliver malware, compromising both confidentiality and integrity of the target environment.

Affected Systems

The affected product is the Submission DOM tracking for Contact Form 7 plugin by apasionados. Versions from the earliest release through 2.1 are vulnerable. Any WordPress site that has installed the plugin and is running a version less than or equal to 2.1 should identify whether it is present and determine the need for remediation.

Risk and Exploitability

The CVSS score of 5.9 indicates moderate severity, while the EPSS score of less than 1% suggests a low current exploitation probability. The vulnerability is not listed in CISA’s KEV catalog. Attackers would need a victim to visit a page that renders the stored payload, so user interaction is required. The impact is confined to the victim’s browser, but the broader site can suffer defacement or malware propagation, especially on high‑traffic or publicly visible forms.

Generated by OpenCVE AI on April 30, 2026 at 20:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the plugin to version 2.2 or later, which removes the input sanitization flaw.
  • If no upgrade is possible, delete or disable the plugin from the installation.
  • Apply a content‑security‑policy header or use a trusted plugin to ensure that any remaining output is properly escaped, mitigating the risk of stored XSS.

Generated by OpenCVE AI on April 30, 2026 at 20:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-13757 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in apasionados Submission DOM tracking for Contact Form 7 allows Stored XSS. This issue affects Submission DOM tracking for Contact Form 7: from n/a through 2.0.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 4.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N'}

 cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in apasionados Submission DOM tracking for Contact Form 7 allows Stored XSS. This issue affects Submission DOM tracking for Contact Form 7: from n/a through 2.0. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in apasionados Submission DOM tracking for Contact Form 7 cf7-submission-dom-tracking allows Stored XSS.This issue affects Submission DOM tracking for Contact Form 7: from n/a through <= 2.1.
Title WordPress Submission DOM tracking for Contact Form 7 <= 2.0 - Cross Site Scripting (XSS) Vulnerability WordPress Submission DOM tracking for Contact Form 7 plugin <= 2.1 - Cross Site Scripting (XSS) vulnerability
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L'}

 cvssV3_1

{'score': 4.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N'}

Mon, 14 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00031}

 epss

{'score': 0.00036}

Mon, 12 May 2025 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Apasionados
Apasionados submission Dom Tracking For Contact Form 7
CPEs cpe:2.3:a:apasionados:submission_dom_tracking_for_contact_form_7:*:*:*:*:*:wordpress:*:*
Vendors & Products Apasionados
Apasionados submission Dom Tracking For Contact Form 7

Thu, 08 May 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 07 May 2025 14:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in apasionados Submission DOM tracking for Contact Form 7 allows Stored XSS. This issue affects Submission DOM tracking for Contact Form 7: from n/a through 2.0.
Title WordPress Submission DOM tracking for Contact Form 7 <= 2.0 - Cross Site Scripting (XSS) Vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Apasionados Submission Dom Tracking For Contact Form 7
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:47.590Z

Reserved: 2025-05-07T10:44:40.884Z

Link: CVE-2025-47626

cve-icon Vulnrichment

Updated: 2025-05-08T15:21:32.446Z

cve-icon NVD

Status : Modified

Published: 2025-05-07T15:16:15.857

Modified: 2026-04-23T15:30:38.080

Link: CVE-2025-47626

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T20:30:26Z

Weaknesses