Description
The Redirection for Contact Form 7 plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's qs_date shortcode in all versions up to, and including, 3.2.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2025-10-18
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting leading to arbitrary script execution via the plugin’s shortcode
Action: Apply Patch
AI Analysis

Impact

The Redirection for Contact Form 7 plugin contains insufficient input sanitization on the qs_date shortcode, allowing an authenticated user with contributor or higher privileges to inject arbitrary JavaScript into stored post content. Once injected, the script runs automatically whenever any user visits the affected page, potentially leading to theft of credentials, defacement, or full compromise of the victim’s browser context. The weakness is a classic stored cross‑site scripting flaw (CWE‑79).

Affected Systems

WordPress sites that have installed the Redirection for Contact Form 7 plugin from themeisle, versions 3.2.6 and earlier. The plugin is widely used to redirect after form submission, so any site running these versions is at risk.

Risk and Exploitability

The CVSS score of 6.4 indicates a moderate severity. The EPSS score of less than 1 % suggests a low exploitation probability at present, and the vulnerability is not listed in the CISA KEV catalog. Nevertheless, because the flaw requires only contributor‑level authentication—a role common in many sites—and the payload is stored in the database, a successful exploit can affect all site visitors. Attackers would typically create or edit a post that contains the malicious qs_date shortcode, ensuring the payload persists until removed.

Generated by OpenCVE AI on April 21, 2026 at 02:14 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Redirection for Contact Form 7 to the latest released version that addresses the qs_date XSS issue
  • Remove or disable any qs_date shortcode usage from all posts and templates until an update is applied
  • If an upgrade is not immediately possible, restrict contributor access and use role‑based filters to prevent the shortcode from being inserted by untrusted users

Generated by OpenCVE AI on April 21, 2026 at 02:14 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 27 Oct 2025 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 20 Oct 2025 13:30:00 +0000

Type Values Removed Values Added
First Time appeared Themeisle
Themeisle redirection For Contact Form 7
Wordpress
Wordpress wordpress
Vendors & Products Themeisle
Themeisle redirection For Contact Form 7
Wordpress
Wordpress wordpress

Sat, 18 Oct 2025 07:00:00 +0000

Type Values Removed Values Added
Description The Redirection for Contact Form 7 plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's qs_date shortcode in all versions up to, and including, 3.2.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title Redirection for Contact Form 7 <= 3.2.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via qs_date Shortcode
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Themeisle Redirection For Contact Form 7
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:55:08.978Z

Reserved: 2025-08-27T21:14:05.609Z

Link: CVE-2025-9562

cve-icon Vulnrichment

Updated: 2025-10-27T16:13:21.630Z

cve-icon NVD

Status : Deferred

Published: 2025-10-18T07:15:36.213

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-9562

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T02:15:06Z

Weaknesses