CVE-2025-23972

Vulnerability

Overview

The Contact Form 7 reCAPTCHA plugin for WordPress versions up to and including 1.2.0 is vulnerable to Cross-Site Request Forgery (CSRF). This issue arises because the plugin does not properly verify nonces or implement other CSRF protections on certain requests, allowing an attacker to trick a logged-in administrator into executing unwanted actions [1].

Exploitation

Details

To exploit this vulnerability, an attacker must craft a malicious link or page that, when visited by an authenticated administrator, triggers a forged request. No special network position is required, but the attacker relies on social engineering to convince the administrator to click the link while authenticated. The attack can be performed remotely without authentication on the attacker's part [1].

Impact

Successful exploitation could allow the attacker to perform actions under the administrator's session, such as changing plugin settings or configurations, potentially leading to further compromise of the WordPress site. The CVSS score of 4.3 (Medium) reflects the need for user interaction and the limited scope of unauthorized actions [1].

Mitigation

The vendor has not released a patch; however, users are advised to update the plugin to the latest version if available. As of the advisory, the recommended immediate action is to update. If unable to update, consider disabling the plugin or implementing additional CSRF protections via a web application firewall or custom code [1].