Description
The HelpDesk contact form plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.5. This is due to missing or incorrect nonce validation on the handle_query_args() function. This makes it possible for unauthenticated attackers to update the plugin's license ID and contact form ID settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Published: 2026-01-07
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Settings Modification
Action: Update Plugin
AI Analysis

Impact

The HelpDesk contact form plugin for WordPress is vulnerable to Cross‑Site Request Forgery due to missing or incorrect nonce validation on the handle_query_args() function. This allows any unauthenticated attacker to forge a request and update the plugin’s license ID and contact form ID settings when a site administrator performs an action such as clicking a link. The result is that an attacker can alter how the contact form behaves or redirect submissions, potentially compromising data integrity or bypassing licensing checks.

Affected Systems

All installations of the HelpDesk Contact Form plugin for WordPress with a version of 1.1.5 or older, as distributed by the vendor helpdeskcom. The vulnerability applies to any WordPress site that has the plugin enabled, regardless of the specific administrator account, provided that an administrator remains logged in when the forged request is made.

Risk and Exploitability

The CVSS score of 4.3 indicates moderate severity and the EPSS score of less than 1% suggests that currently exploitation is unlikely, though not impossible, especially if an attacker can successfully social‑engineer an administrator into visiting a crafted URL. The vulnerability is not listed in the CISA KEV catalog, indicating that no widely documented active exploitation has been reported. An attacker would need to impersonate an administrator’s HTTP session or rely on the administrator clicking the malicious link; therefore, the attack vector is primarily phishing or link injection. Once the forged request is sent, the plugin blindly accepts the new settings because nonce validation is absent, enabling the attacker to modify configuration without further authentication.

Generated by OpenCVE AI on April 22, 2026 at 00:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the HelpDesk Contact Form plugin to the latest available version that removes the CSRF flaw, or at a minimum to any release newer than 1.1.5 for which the nonce check is restored.
  • If an update cannot be applied immediately, restrict HTTP access to the handle_query_args endpoint by IP whitelisting or by ensuring that only authenticated users with valid WordPress nonces can reach the endpoint, effectively re‑implementing the missing protection.
  • Consider blocking or redesigning any GET or POST requests that alter plugin settings when no valid nonce is present, which serves as a practical workaround until a patched version is installed.
  • Review and audit current administrator accounts for any unauthorized configuration changes that may have already been applied by a malicious actor.

Generated by OpenCVE AI on April 22, 2026 at 00:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 08 Apr 2026 17:45:00 +0000

Type Values Removed Values Added
References

Thu, 08 Jan 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Wed, 07 Jan 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 07 Jan 2026 06:45:00 +0000

Type Values Removed Values Added
Description The HelpDesk contact form plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.5. This is due to missing or incorrect nonce validation on the handle_query_args() function. This makes it possible for unauthenticated attackers to update the plugin's license ID and contact form ID settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Title HelpDesk contact form plugin <= 1.1.5 - Cross-Site Request Forgery to Settings Update via handle_query_args
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:45:42.071Z

Reserved: 2025-11-25T15:28:19.206Z

Link: CVE-2025-13657

cve-icon Vulnrichment

Updated: 2026-01-07T14:52:19.657Z

cve-icon NVD

Status : Deferred

Published: 2026-01-07T12:16:49.397

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-13657

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T00:15:03Z

Weaknesses