Description
Cross-Site Request Forgery (CSRF) vulnerability in CRM Perks WP Zendesk for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms cf7-zendesk allows Cross Site Request Forgery.This issue affects WP Zendesk for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms: from n/a through <= 1.1.3.
Published: 2025-04-04
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A Cross‑Site Request Forgery (CWE‑352) exists in the CRM‑Perks WP Zendesk for Contact Form 7 plugin and its variants for WPForms, Elementor, Formidable and Ninja Forms. The flaw enables an attacker to send forged requests that change plugin settings without the victim’s consent. This can lead to arbitrary configuration changes, potentially redirecting form submissions or exposing sensitive data. The impact is confined to the administrator’s account on the affected WordPress site, but it allows the attacker to alter the behavior of contact forms.

Affected Systems

WordPress sites running any of the following products—WP Zendesk for Contact Form 7, WPForms, Elementor, Formidable or Ninja Forms—between their initial release up to version 1.1.3 are affected. The flaw is present in all editions of these plugins that had not yet been updated beyond 1.1.3.

Risk and Exploitability

The CVSS score of 4.3 indicates a medium severity. The EPSS score of less than 1% suggests a low probability of exploitation, and the vulnerability is not listed in the CISA KEV catalog. Attackers would likely need to compromise an authenticated admin session or persuade a logged‑in user to click a malicious link. However, because the flaw relies on CSRF, it is exploitable through a standard web request that targets the plugin’s settings endpoint.

Generated by OpenCVE AI on May 1, 2026 at 00:15 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the WP Zendesk plugin (or its equivalent for WPForms, Elementor, Formidable, or Ninja Forms) to the latest version, which removes the CSRF flaw
  • If an immediate upgrade is not possible, temporarily disable the affected plugin or restrict the settings page to trusted administrator accounts only
  • Review and, if necessary, enhance the CSRF token implementation on the settings endpoint to ensure that only valid, user‑initiated requests are processed

Generated by OpenCVE AI on May 1, 2026 at 00:15 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-9788 Cross-Site Request Forgery (CSRF) vulnerability in CRM Perks WP Zendesk for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms allows Cross Site Request Forgery. This issue affects WP Zendesk for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms: from n/a through 1.1.3.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in CRM Perks WP Zendesk for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms allows Cross Site Request Forgery. This issue affects WP Zendesk for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms: from n/a through 1.1.3. Cross-Site Request Forgery (CSRF) vulnerability in CRM Perks WP Zendesk for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms cf7-zendesk allows Cross Site Request Forgery.This issue affects WP Zendesk for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms: from n/a through <= 1.1.3.
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Fri, 04 Apr 2025 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 04 Apr 2025 16:15:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in CRM Perks WP Zendesk for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms allows Cross Site Request Forgery. This issue affects WP Zendesk for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms: from n/a through 1.1.3.
Title WordPress WP Zendesk for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms Plugin <= 1.1.3 - Cross Site Request Forgery (CSRF) to Settings Change vulnerability
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:20.289Z

Reserved: 2025-04-04T10:02:22.507Z

Link: CVE-2025-32269

cve-icon Vulnrichment

Updated: 2025-04-04T18:59:32.853Z

cve-icon NVD

Status : Deferred

Published: 2025-04-04T16:15:38.060

Modified: 2026-04-23T15:28:52.443

Link: CVE-2025-32269

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T00:30:04Z

Weaknesses