The vulnerability is a Cross‑Site Scripting (XSS) flaw in Themefic Ultimate Addons for Contact Form 7. Improper neutralization of input allows an attacker to inject malicious scripts that execute in victims’ browsers when they view affected pages, potentially leading to theft of session cookies, defacement, or further malware delivery. The weakness is classified as CWE‑79.

The affected product is Themefic’s Ultimate Addons for Contact Form 7 plugin for WordPress. Vulnerable versions range from the earliest available release up to and including 3.5.36. Any WordPress site running a version ≤3.5.36 is impacted, regardless of the site administrator’s role.

The CVSS score is 6.5, indicating a moderate‑to‑high risk level. The EPSS score is below 1 %, suggesting a low probability of exploitation in the wild, and the vulnerability is not listed in the CISA KEV catalog. The attack requires the victim to visit a page that reflects unfiltered input; an attacker could craft a link or embedded form value that injects malicious JavaScript. If the site permits untrusted users to submit content that is displayed to other users, the risk is greater; otherwise the impact is limited to specific user sessions. Nonetheless, the potential for credential theft and site compromise warrants prompt action.