CVE-2025-8280: 
WordPress 脆弱性の分析と軽減

The Contact Form 7 reCAPTCHA WordPress plugin through version 1.2.0 contains a Reflected Cross-Site Scripting (XSS) vulnerability. The vulnerability exists because the plugin fails to properly escape the $SERVER['REQUESTURI'] parameter before outputting it back in an attribute (WPScan).

The vulnerability is caused by improper sanitization of user input, specifically the $SERVER['REQUESTURI'] parameter, which is output back in an HTML attribute without proper escaping. This could allow an attacker to execute malicious JavaScript code in the context of old web browsers. The vulnerability has been assigned a CVSS v3.1 base score of 5.8 (Medium) with the vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:L, indicating that it requires network access, high attack complexity, no privileges, and user interaction (AttackerKB).

If successfully exploited, this vulnerability could allow an attacker to execute arbitrary JavaScript code in the victim's browser in the context of the vulnerable website. This could potentially lead to theft of sensitive information, session hijacking, or other client-side attacks (WPScan).

Currently, there is no known fix available for this vulnerability in the Contact Form 7 reCAPTCHA plugin (WPScan).