CVE-2025-6212

Name of the Vulnerable Software and Affected Versions: Ultra Addons for Contact Form 7 plugin for WordPress versions 3.5.11 through 3.5.19

Description: The issue is related to Stored Cross-Site Scripting via the Database module due to insufficient input sanitization and output escaping. The unfiltered field names are stored alongside the sanitized values. Later, the admin-side AJAX endpoint ajax get table data() returns those raw names as JSON column headers, and the client-side DataTables renderer injects them directly into the DOM without any HTML encoding. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Recommendations: For versions 3.5.11 through 3.5.19, update to a version that addresses the insufficient input sanitization and output escaping issue. As a temporary workaround, consider disabling the ajax get table data() function until a patch is available. Restrict access to the Database module to minimize the risk of exploitation. Avoid using the unfiltered field names in the affected AJAX endpoint until the issue is resolved.