CVE-2025-67471

Vulnerability

Overview

The Quick Contact Form plugin for WordPress, versions 8.2.5 and earlier, contains a Cross-Site Request Forgery (CSRF) vulnerability [1]. This flaw arises from insufficiently validates requests made by authenticated users, allowing an attacker to trick a privileged user into executing unintended actions without their consent.

Exploitation

Details

Exploitation requires user interaction: a privileged user must click a malicious link, visit a crafted page, or submit a specially prepared form while authenticated to the WordPress site [1]. No additional privileges are needed beyond the victim's existing session. The attack can be launched remotely without authentication, making it accessible to any unauthenticated visitor.

Impact

Successful CSRF exploitation could force a higher-privileged user (such as an administrator) to perform actions like changing plugin settings, deleting data, or other operations under their current authentication [1]. The CVSS v3 base score is 4.3 (Medium), reflecting the need for user interaction and the limited direct impact on confidentiality or availability.

Mitigation

The vendor has released version 8.2.6 which resolves the vulnerability [1]. Users are strongly advised to update to 8.2.6 or later. Patchstack users can enable auto-updates for vulnerable plugins. While the vulnerability is considered low severity and unlikely to be exploited in mass campaigns, immediate updating is recommended as a best practice [1].