Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CRM Perks Integration for Contact Form 7 and Constant Contact cf7-constant-contact allows Stored XSS.This issue affects Integration for Contact Form 7 and Constant Contact: from n/a through <= 1.1.7.
Published: 2025-08-14
Score: 5.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Vulnerability is an improper neutralization of input during web page generation, allowing stored cross‑site scripting on sites using CRM Perks Integration for Contact Form 7 and Constant Contact. When an attacker supplies crafted data, the malicious script is persisted and later rendered in a user’s browser. This can lead to cookie theft, session hijack, defacement or disclosure of sensitive information to the attacker.

Affected Systems

The flaw occurs in the CRM Perks Integration for Contact Form 7 and Constant Contact plugin for WordPress, affecting all releases through version 1.1.7. WordPress sites that incorporate that plugin and have not applied an upgrade are susceptible.

Risk and Exploitability

The CVSS score of 5.9 indicates moderate severity, with an EPSS score below 1% suggesting low historical exploitation probability. The vulnerability is not listed in CISA KEV, which reduces the urgency compared to known exploited flaws. Based on the description, it is inferred that the likely attack vector is through the plugin’s data entry interface, where an attacker can submit a malicious value that is later stored and rendered to other site visitors.

Generated by OpenCVE AI on April 30, 2026 at 16:17 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the CRM Perks Integration for Contact Form 7 and Constant Contact plugin to a version newer than 1.1.7 or install the latest official release.
  • If an upgrade is not immediately possible, consider temporarily disabling the plugin or removing it until a patched version is available to prevent server‑side rendering of user supplied data.
  • Apply a content security policy that restricts inline scripts and unsafe‑eval, and ensure that any user‑generated content is properly escaped or sanitized before rendering.

Generated by OpenCVE AI on April 30, 2026 at 16:17 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-24710 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CRM Perks Integration for Contact Form 7 and Constant Contact allows Stored XSS. This issue affects Integration for Contact Form 7 and Constant Contact: from n/a through 1.1.7.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CRM Perks Integration for Contact Form 7 and Constant Contact allows Stored XSS. This issue affects Integration for Contact Form 7 and Constant Contact: from n/a through 1.1.7. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CRM Perks Integration for Contact Form 7 and Constant Contact cf7-constant-contact allows Stored XSS.This issue affects Integration for Contact Form 7 and Constant Contact: from n/a through <= 1.1.7.
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L'}

Sat, 16 Aug 2025 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Crmperks
Crmperks integration For Contact Form 7 And Constant Contact
Wordpress
Wordpress wordpress
Vendors & Products Crmperks
Crmperks integration For Contact Form 7 And Constant Contact
Wordpress
Wordpress wordpress

Thu, 14 Aug 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 14 Aug 2025 10:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CRM Perks Integration for Contact Form 7 and Constant Contact allows Stored XSS. This issue affects Integration for Contact Form 7 and Constant Contact: from n/a through 1.1.7.
Title WordPress Integration for Contact Form 7 and Constant Contact Plugin plugin <= 1.1.7 - Cross Site Scripting (XSS) Vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Crmperks Integration For Contact Form 7 And Constant Contact
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:13:33.997Z

Reserved: 2025-07-28T10:55:49.522Z

Link: CVE-2025-54684

cve-icon Vulnrichment

Updated: 2025-08-14T14:51:49.559Z

cve-icon NVD

Status : Deferred

Published: 2025-08-14T11:15:47.817

Modified: 2026-04-23T15:32:49.197

Link: CVE-2025-54684

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T16:30:16Z

Weaknesses