CVE-2025-6756: 
WordPress vulnerability analysis and mitigation

The Ultra Addons for Contact Form 7 plugin for WordPress contains a Stored Cross-Site Scripting vulnerability (CVE-2025-6756) in versions up to and including 3.5.21. The vulnerability exists in the plugin's UACF7CUSTOMFIELDS shortcode due to insufficient input sanitization and output escaping on user-supplied attributes. The issue was discovered and disclosed on June 30, 2025 (NVD).

The vulnerability is caused by inadequate sanitization and escaping of user input in the UACF7CUSTOMFIELDS shortcode implementation. The CVSS v3.1 base score is 6.4 (Medium) with the following vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N. The vulnerability is classified as CWE-79: Improper Neutralization of Input During Web Page Generation (Cross-site Scripting) (NVD, Wordfence).

The vulnerability allows authenticated attackers with contributor-level access or higher to inject arbitrary web scripts into pages. These malicious scripts will execute whenever a user accesses the compromised page, potentially leading to session hijacking, credential theft, or other client-side attacks (NVD).

The vulnerability has been patched in version 3.5.22 of the Ultra Addons for Contact Form 7 plugin. Users are advised to update to this version immediately. The update includes security fixes that address the content sanitization issues (WordPress Plugin).