CVE-2025-54020

Vulnerability

Overview

The AntiSpam for Contact Form 7 plugin for WordPress (versions up to and including 0.6.3) contains a Cross-Site Request Forgery (CSRF) vulnerability. This flaw arises from missing or insufficient nonce validation on sensitive actions, enabling an attacker to trick an authenticated administrator into unknowingly performing unintended operations [1].

Exploitation

Details

Exploitation requires user interaction: a privileged user must click a malicious link, visit a crafted page, or submit a specially designed form while logged into the WordPress admin panel. The attacker does not need direct access to the site but can leverage social engineering or other means to deliver the payload. Once the victim performs the action, the attacker's request is executed under the victim's current authentication [1].

Impact

Successful exploitation allows an attacker to force the victim to perform actions such as modifying plugin settings, disabling anti-spam protections, or other administrative tasks. This could lead to further compromise, such as enabling spam or other malicious activities on the site. The CVSS score of 5.4 (Medium) reflects the need for user interaction and the potential for limited impact [1].

Mitigation

The vulnerability has been addressed in version 0.6.4 of the plugin. Users are strongly advised to update immediately. For those unable to update, consulting a hosting provider or web developer is recommended. Patchstack users can enable auto-updates for vulnerable plugins [1].