Contact Form 7 Widget For Elementor Page Builder & Gutenberg Blocks < 1.1.6 - Arbitrary Plugin Activation via CSRF
Description
The Contact Form 7 Widget plugin for WordPress before 1.1.6 lacks CSRF protection, allowing attackers to trick admins into activating arbitrary plugins.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
The Contact Form 7 Widget plugin for WordPress before 1.1.6 lacks CSRF protection, allowing attackers to trick admins into activating arbitrary plugins.
Vulnerability
The Contact Form 7 Widget For Elementor Page Builder & Gutenberg Blocks WordPress plugin versions before 1.1.6 do not include a Cross-Site Request Forgery (CSRF) check when activating plugins. This means that any authenticated administrator who visits a maliciously crafted page while logged into the WordPress admin panel can be tricked into unknowingly activating any plugin already present on the site [1].
Exploitation
An attacker can craft a CSRF payload that triggers the plugin activation endpoint. The attacker then lures a logged-in administrator into clicking a link or visiting a page that executes the forged request. No additional authentication or privileges are required beyond the administrator's active session [1].
Impact
Successful exploitation allows the attacker to activate any plugin that is already installed on the WordPress site but not yet enabled. This could lead to further compromise if the activated plugin contains vulnerabilities or is used to execute malicious code. The attack does not allow uploading new plugins, only activating existing ones [1].
Mitigation
The vulnerability is fixed in version 1.1.6 of the plugin. Users should update to this version or later. No workaround is available for older versions. The plugin is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog as of the publication date [1].
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2<1.1.6+ 1 more
- (no CPE)range: <1.1.6
- (no CPE)range: <1.1.6
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing CSRF nonce check in the plugin-activation handler allows cross-site request forgery."
Attack vector
An attacker crafts a malicious page or link that, when visited by a logged-in administrator, triggers a forged request to the WordPress admin area to activate an arbitrary plugin already present on the blog [ref_id=1]. Because the plugin's activation handler has no CSRF nonce check [CWE-352], the browser automatically sends the admin's session cookie and the request is processed as if the admin intended it. The attacker must first identify a plugin installed on the target site that they wish to activate.
Affected code
The advisory does not specify exact file paths or function names. The vulnerability resides in the "ht-contactform" plugin (slug: ht-contactform) in versions before 1.1.6 [ref_id=1]. The plugin's plugin-activation functionality lacks a CSRF check.
What the fix does
The advisory states the issue is fixed in version 1.1.6 of the ht-contactform plugin [ref_id=1]. No patch diff is provided in the bundle. The remediation would involve adding a CSRF nonce check (e.g., `check_admin_referer()`) to the plugin-activation handler so that the request is only processed when accompanied by a valid, user-specific nonce value.
Preconditions
- inputAttacker must know of or identify an installed-but-inactive plugin on the target WordPress site.
- authA WordPress administrator must be logged in and tricked into visiting the attacker's crafted page or link.
- configThe target site must be running a version of the ht-contactform plugin prior to 1.1.6.
Reproduction
1. Ensure a WordPress site is running the ht-contactform plugin version < 1.1.6 and has at least one inactive plugin installed. 2. Log in as an administrator. 3. Craft an HTML page that submits a form (or uses an image tag/script) to `wp-admin/plugins.php?action=activate&plugin=INACTIVE_PLUGIN_SLUG&_wpnonce=...` — note that the nonce is not validated by the vulnerable plugin, so a static or omitted nonce may suffice. 4. Trick the logged-in admin into visiting this crafted page. 5. Observe that the target plugin becomes activated without the admin's consent [ref_id=1].
Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1- wpscan.com/vulnerability/e61fb245-0d7f-42b0-9b96-c17ade8c04c5mitreexploitvdb-entrytechnical-description
News mentions
0No linked articles in our index yet.