cleantalk
Vulnerabilities and Security Researches

Contact Form 7 with ChatWork, CVE-2025-13975

CVE, Research URL

CVE-2025-13975

Home page URL

Security reports for Contact Form 7 with ChatWork

Application

Contact Form 7 with ChatWork

Published on
Dec 12, 2025
Research Description
The Contact Form 7 with ChatWork plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'api_token' and 'roomid' settings in all versions up to, and including, 1.1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses the settings page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
Affected versions
max 1.1.0.
Status
vulnerable
Previous vulnerability researches
GDPR Cookie Compliance (CCPA, DSGVO, Cookie Consent) (CVE-2019-25143) , Jun 07, 2024
GDPR Cookie Compliance (CCPA, DSGVO, Cookie Consent) (7d5b4ba83a5c6004460bf267fe534a359e1416b0) , Jun 07, 2024
GDPR Cookie Compliance (CCPA, DSGVO, Cookie Consent) (CVE-2023-4013) , Jun 07, 2024
GDPR Cookie Compliance (CCPA, DSGVO, Cookie Consent) (CVE-2025-1621) , Mar 14, 2025
GDPR Cookie Compliance (CCPA, DSGVO, Cookie Consent) , Aug 26, 2025
New vulnerability
Advanced Classifieds & Directory Pro (CVE-2025-68580) , Jan 10, 2026
Co-marquage service-public.fr (CVE-2025-62113) , Jan 10, 2026
404 Solution (CVE-2025-14477) , Jan 10, 2026
BizPrint – Print WooCommerce Order Receipts, Invoices, Labels & More. (CVE-2025-69024) , Jan 10, 2026
Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin (CVE-2025-13754) , Jan 10, 2026