Description
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in sevenspark Contact Form 7 – Dynamic Text Extension contact-form-7-dynamic-text-extension allows Code Injection.This issue affects Contact Form 7 – Dynamic Text Extension: from n/a through <= 5.0.5.
Published: 2025-12-09
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an improper neutralization of script‑related HTML tags that allows an attacker to inject arbitrary HTML or JavaScript into web pages rendered by the plugin. This code injection can lead to defacement, phishing, or potentially theft of user session data. The weakness is classified as CWE‑80, a basic cross‑site scripting vulnerability.

Affected Systems

WordPress sites that include the sevenspark Contact Form 7 – Dynamic Text Extension plugin version 5.0.5 or earlier are affected. The issue applies to all installations using the plugin's dynamic text feature, regardless of the site's theme or other plugins.

Risk and Exploitability

The CVSS score of 5.3 indicates a moderate severity. The EPSS score is below 1 %, suggesting a very low probability of exploitation at this time. The vulnerability is not listed in the CISA KEV catalog. Exploitation would most likely occur through a crafted form submission that includes malicious scripts, meaning the attack vector is web‑based and can be performed from an external attacker.

Generated by OpenCVE AI on April 29, 2026 at 12:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the plugin to the latest version provided by sevenspark
  • Disable the Dynamic Text Extension feature or deactivate the plugin if an upgrade is not available
  • Configure form fields to enforce plain text input and apply additional sanitization via a WordPress security plugin

Generated by OpenCVE AI on April 29, 2026 at 12:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in sevenspark Contact Form 7 Dynamic Text Extension contact-form-7-dynamic-text-extension allows Code Injection.This issue affects Contact Form 7 Dynamic Text Extension: from n/a through <= 5.0.3. Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in sevenspark Contact Form 7 – Dynamic Text Extension contact-form-7-dynamic-text-extension allows Code Injection.This issue affects Contact Form 7 – Dynamic Text Extension: from n/a through <= 5.0.5.
Title WordPress Contact Form 7 Dynamic Text Extension plugin <= 5.0.3 - Content Injection vulnerability WordPress Contact Form 7 Dynamic Text Extension plugin <= 5.0.5 - Content Injection vulnerability

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Wed, 10 Dec 2025 18:00:00 +0000

Type Values Removed Values Added
First Time appeared Sevenspark
Sevenspark contact Form 7 - Dynamic Text Extension
Wordpress
Wordpress wordpress
Vendors & Products Sevenspark
Sevenspark contact Form 7 - Dynamic Text Extension
Wordpress
Wordpress wordpress

Tue, 09 Dec 2025 22:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 09 Dec 2025 15:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in sevenspark Contact Form 7 Dynamic Text Extension contact-form-7-dynamic-text-extension allows Code Injection.This issue affects Contact Form 7 Dynamic Text Extension: from n/a through <= 5.0.3.
Title WordPress Contact Form 7 Dynamic Text Extension plugin <= 5.0.3 - Content Injection vulnerability
Weaknesses CWE-80
References

Subscriptions

Sevenspark Contact Form 7 - Dynamic Text Extension
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T19:36:28.559Z

Reserved: 2025-10-24T14:26:38.886Z

Link: CVE-2025-63068

cve-icon Vulnrichment

Updated: 2025-12-09T21:22:49.749Z

cve-icon NVD

Status : Deferred

Published: 2025-12-09T16:18:12.577

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-63068

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T12:30:10Z

Weaknesses