Ultra Addons for Contact Form 7 Vulnerability - CVE-2025-6212

Hey there!

It's been a few days since I've posted a new vulnerability with high impact.

This one affects at least 30-40k WordPress websites and has a CVSS score of 7.2 (High).

It affects the Ultra Addons for Contact Form 7 plugin and allows unauthenticated hackers to embed and execute arbitrary scripts into pages, which are executed every time someone visits such a page.

The vulnerability severity is pretty high, so it's advisable to update the plugin immediately.

Affected plugin versions are 3.5.11 - 3.5.19, and the latest one that you should update to is 3.5.20.

Potential exploitation could include malware that mines cryptocurrency, skims for credit cards or personal data, and even surveillance.

Have a question or need help? Just let me know!