Description
Cross-Site Request Forgery (CSRF) vulnerability in Benjamin Pick Contact Form 7 Select Box Editor Button contact-form-7-select-box-editor-button allows Cross Site Request Forgery.This issue affects Contact Form 7 Select Box Editor Button: from n/a through <= 0.6.
Published: 2025-03-11
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a CSRF flaw in the WordPress plugin Contact Form 7 Select Box Editor Button, allowing attackers to submit forged requests on behalf of an authenticated user. This defect, identified as CWE‑352, lets malicious actors cause unintended actions without the victim’s consent.

Affected Systems

Affected systems include WordPress sites that have installed Benjamin Pick’s Contact Form 7 Select Box Editor Button plugin version 0.6 or earlier. The plugin is the primary product described by the CNA, with no specific version list beyond the <=0.6 cutoff.

Risk and Exploitability

The CVSS score of 4.3 rates the flaw as moderate severity, and the EPSS score indicates a very low probability of exploitation. The vulnerability is not listed in the CISA KEV catalog. Although the attack vector is likely a remote domain that tricks a logged‑in user into visiting a crafted URL, no direct access from external hosts is required. Control of the affected form’s submission endpoint is a prerequisite for exploitation.

Generated by OpenCVE AI on May 1, 2026 at 13:58 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Contact Form 7 Select Box Editor Button plugin to the most recent release, which includes a CSRF mitigation fix.
  • If upgrading is not immediately possible, disable the plugin on any front‑end forms that handle sensitive data or behind authentication.
  • Implement an additional CSRF token check on form submissions, or configure a Web Application Firewall to block unexpected POST requests.
  • Ensure that WordPress core and other plugins are kept current to prevent related exploits.

Generated by OpenCVE AI on May 1, 2026 at 13:58 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-7859 Cross-Site Request Forgery (CSRF) vulnerability in Benjamin Pick Contact Form 7 Select Box Editor Button allows Cross Site Request Forgery. This issue affects Contact Form 7 Select Box Editor Button: from n/a through 0.6.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in Benjamin Pick Contact Form 7 Select Box Editor Button allows Cross Site Request Forgery. This issue affects Contact Form 7 Select Box Editor Button: from n/a through 0.6. Cross-Site Request Forgery (CSRF) vulnerability in Benjamin Pick Contact Form 7 Select Box Editor Button contact-form-7-select-box-editor-button allows Cross Site Request Forgery.This issue affects Contact Form 7 Select Box Editor Button: from n/a through <= 0.6.
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Fri, 11 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00021}

 epss

{'score': 0.00029}

Wed, 12 Mar 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 11 Mar 2025 21:15:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in Benjamin Pick Contact Form 7 Select Box Editor Button allows Cross Site Request Forgery. This issue affects Contact Form 7 Select Box Editor Button: from n/a through 0.6.
Title WordPress Contact Form 7 Select Box Editor Button plugin <= 0.6 - Cross Site Request Forgery (CSRF) vulnerability
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:50.314Z

Reserved: 2025-03-11T08:09:18.300Z

Link: CVE-2025-28902

cve-icon Vulnrichment

Updated: 2025-03-12T13:44:42.337Z

cve-icon NVD

Status : Deferred

Published: 2025-03-11T21:15:47.627

Modified: 2026-04-23T15:26:34.160

Link: CVE-2025-28902

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T14:00:15Z

Weaknesses