CVE-2025-47626: 
WordPress vulnerability analysis and mitigation

A Cross-site Scripting (XSS) vulnerability has been identified in apasionados Submission DOM tracking for Contact Form 7, affecting versions up to and including 2.0. The vulnerability, tracked as CVE-2025-47626, was discovered and disclosed on May 7, 2025. This security flaw specifically affects the WordPress plugin's DOM tracking functionality for Contact Form 7 (NVD Database, Patchstack Advisory).

The vulnerability is classified as an Improper Neutralization of Input During Web Page Generation (CWE-79) issue. According to the CVSS 3.1 scoring system, it has received a medium severity rating with a base score of 4.8 (CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N). The vulnerability allows for Stored XSS attacks through the plugin's DOM tracking functionality (NVD Database).

The vulnerability enables attackers to execute stored Cross-Site Scripting attacks, potentially compromising website security. When successfully exploited, it could allow malicious actors to inject scripts that execute when users visit affected pages, potentially leading to data theft or manipulation of website content (Patchstack Advisory).

As of the current date, no official fix has been released for this vulnerability. Users are advised to consider removing and replacing the plugin with an alternative solution, as the software appears to be abandoned with no recent updates (Patchstack Advisory).