Description
The Quick Contact Form plugin for WordPress is vulnerable to Open Mail Relay in all versions up to, and including, 8.2.6. This is due to the 'qcf_validate_form' AJAX endpoint allowing a user controlled parameter to set the 'from' email address. This makes it possible for unauthenticated attackers to send emails to arbitrary recipients utilizing the server. The information is limited to the contact form submission details.
Published: 2026-01-17
Score: 5.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthenticated Open Mail Relay
Action: Update Plugin
AI Analysis

Impact

The Quick Contact Form plugin allows an attacker to send email messages from the web server by specifying a forged "from" address via the qcf_validate_form AJAX endpoint. This flaw permits unauthenticated parties to use the server as a relay to deliver messages to arbitrary recipients, potentially enabling phishing, spamming, or malicious routing of sensitive information. The weakness is a classic input validation failure, classified as CWE-20.

Affected Systems

WordPress sites running the Quick Contact Form plugin version 8.2.6 or earlier, including all releases up to and including 8.2.6. The vendor is Saadiqbal, who provides the plugin under the product name Quick Contact Form.

Risk and Exploitability

The CVSS score for this issue is 5.8, indicating a moderate risk. The EPSS score is below 1%, suggesting a very low probability of exploitation at this time. It is not listed in the CISA KEV catalog. Attackers would need only unauthenticated HTTP access to the site and would exploit the public AJAX endpoint to set the "from" address, resulting in the server relaying the email.

Generated by OpenCVE AI on April 21, 2026 at 00:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Quick Contact Form to a version newer than 8.2.6
  • Disable or protect the qcf_validate_form AJAX endpoint by restricting it to authenticated users or by adding access controls
  • Configure the mail server to reject relay attempts from the web server IP addresses

Generated by OpenCVE AI on April 21, 2026 at 00:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 20 Jan 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 19 Jan 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Sat, 17 Jan 2026 02:30:00 +0000

Type Values Removed Values Added
Description The Quick Contact Form plugin for WordPress is vulnerable to Open Mail Relay in all versions up to, and including, 8.2.6. This is due to the 'qcf_validate_form' AJAX endpoint allowing a user controlled parameter to set the 'from' email address. This makes it possible for unauthenticated attackers to send emails to arbitrary recipients utilizing the server. The information is limited to the contact form submission details.
Title Quick Contact Form <= 8.2.6 - Unauthenticated Open Mail Relay
Weaknesses CWE-20
References
Metrics cvssV3_1

{'score': 5.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:27:48.947Z

Reserved: 2025-11-04T20:55:18.963Z

Link: CVE-2025-12718

cve-icon Vulnrichment

Updated: 2026-01-20T18:45:36.330Z

cve-icon NVD

Status : Deferred

Published: 2026-01-17T03:16:03.037

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-12718

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T00:30:22Z

Weaknesses