Medium severity5.8NVD Advisory· Published Jan 17, 2026· Updated Apr 15, 2026

CVE-2025-12718

Description

The Quick Contact Form plugin for WordPress is vulnerable to Open Mail Relay in all versions up to, and including, 8.2.6. This is due to the 'qcf_validate_form' AJAX endpoint allowing a user controlled parameter to set the 'from' email address. This makes it possible for unauthenticated attackers to send emails to arbitrary recipients utilizing the server. The information is limited to the contact form submission details.

Affected products

WordPress/Quick Contact Formllm-fuzzy
Range: <=8.2.6
Package: https://wordpress.org/plugins/quick-contact-form

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

plugins.trac.wordpress.org/changesetnvd
www.wordfence.com/threat-intel/vulnerabilities/id/dc7ba538-a7ee-48c8-996c-b8db1934fdebnvd

News mentions

No linked articles in our index yet.

cvss	0.377
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000