CVE-2025-8280: 
WordPress vulnerability analysis and mitigation

The Contact Form 7 reCAPTCHA WordPress plugin through version 1.2.0 contains a Reflected Cross-Site Scripting vulnerability (CVE-2025-8280). The vulnerability was discovered by Bob Matyas and publicly disclosed on August 22, 2025. The issue affects the plugin's handling of the $_SERVER['REQUEST_URI'] parameter, which is not properly escaped before being output in an attribute (WPScan).

The vulnerability stems from improper sanitization of user input where the $_SERVER['REQUEST_URI'] parameter is directly output into an attribute without proper escaping. This creates a reflected XSS condition that can be exploited in older web browsers. The vulnerability has been assigned a CVSS v3.1 base score of 5.8 (Medium) with the vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:L, indicating that it requires network access, has high attack complexity, needs no privileges, but requires user interaction (AttackerKB).

If successfully exploited, this vulnerability could allow attackers to execute arbitrary JavaScript code in the context of a user's browser session when they visit a specially crafted URL. The impact is considered Low for Confidentiality, Integrity, and Availability, but the scope is Changed, meaning the vulnerable component impacts resources beyond its security scope (AttackerKB).

Currently, there is no known fix available for this vulnerability in the Contact Form 7 reCAPTCHA plugin (WPScan).