The Contact Form 7 reCAPTCHA WordPress plugin through 1.2.0 does not escape the $_SERVER['REQUEST_URI'] parameter before outputting it back in an attribute, which could lead to Reflected Cross-Site Scripting in old web browsers.
Metrics
Affected Vendors & Products
References
History
Mon, 15 Sep 2025 10:45:00 +0000
Type | Values Removed | Values Added |
---|---|---|
First Time appeared |
Wordpress
Wordpress wordpress |
|
Vendors & Products |
Wordpress
Wordpress wordpress |
Fri, 12 Sep 2025 17:15:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Metrics |
cvssV3_1
|
Fri, 12 Sep 2025 06:15:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Description | The Contact Form 7 reCAPTCHA WordPress plugin through 1.2.0 does not escape the $_SERVER['REQUEST_URI'] parameter before outputting it back in an attribute, which could lead to Reflected Cross-Site Scripting in old web browsers. | |
Title | Contact Form 7 reCAPTCHA <= 1.2.0 - Reflected XSS via $_SERVER['REQUEST_URI'] | |
References |
|

Status: PUBLISHED
Assigner: WPScan
Published:
Updated: 2025-09-12T16:22:30.609Z
Reserved: 2025-07-28T13:37:03.227Z
Link: CVE-2025-8280

Updated: 2025-09-12T16:11:01.981Z

Status : Awaiting Analysis
Published: 2025-09-12T06:15:43.660
Modified: 2025-09-15T15:21:42.937
Link: CVE-2025-8280

No data.