CVE-2025-24726: 
WordPress vulnerability analysis and mitigation

The vulnerability CVE-2025-24726 is a Stored Cross-Site Scripting (XSS) vulnerability affecting HT Plugins HT Contact Form 7, discovered by Peter Thaleikis and disclosed on January 24, 2025. The vulnerability affects versions up to and including 1.2.1 of the WordPress plugin, which has over 10,000 active installations (Wordfence Intel).

The vulnerability is classified as an Improper Neutralization of Input During Web Page Generation (CWE-79) with a CVSS v3.1 score of 6.5 (Medium). The vulnerability vector is CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L, indicating network accessibility, low attack complexity, and required user interaction (NVD, Patchstack).

The vulnerability allows authenticated attackers with contributor-level access or above to inject arbitrary web scripts into pages. These malicious scripts will execute whenever a user accesses an injected page, potentially leading to unauthorized actions, data theft, or site defacement (WPScan).

The vulnerability has been patched in version 1.2.2 of the HT Contact Form 7 plugin. Site administrators are advised to update to version 1.2.2 or later to remove the vulnerability. The security issue is considered to have a low severity impact and is unlikely to be exploited (Patchstack).