CVE-2025-9562: 
WordPress vulnerability analysis and mitigation

The Redirection for Contact Form 7 plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) via the plugin's qs_date shortcode in versions up to and including 3.2.6. The vulnerability was discovered and disclosed on October 18, 2025, and has been assigned CVE-2025-9562 (NVD).

The vulnerability exists due to insufficient input sanitization and output escaping on user-supplied attributes in the qs_date shortcode functionality. The issue has been assigned a CVSS v3.1 base score of 6.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N, indicating a network-accessible vulnerability requiring low privileges and no user interaction (Wordfence).

The vulnerability allows authenticated attackers with contributor-level access or higher to inject arbitrary web scripts into pages. These malicious scripts will execute whenever a user accesses an affected page, potentially leading to theft of sensitive information or manipulation of page content (NVD).

The vulnerability has been patched in version 3.2.7 of the Redirection for Contact Form 7 plugin. Users are advised to update to this version immediately. The update includes enhanced security measures and updated dependencies (WordPress Plugin).