Cross‑Site Request Forgery in ZealousWeb User Registration Using Contact Form 7 (up to version 2.4) is a CWE‑352 vulnerability that allows an attacker to trigger form submissions on a victim website without the user’s consent. The flaw arises because the plugin accepts registration requests without validating a proper CSRF token, making it possible to create, modify, or delete user registrations. This could enable unauthorized account creation or manipulation of user data, compromising the integrity of the WordPress site.

The vulnerability impacts the WordPress plugin "User Registration Using Contact Form 7" published by ZealousWeb. Any installation of the plugin from its original release through version 2.4 is susceptible. WordPress sites hosting the plugin in these versions should consider the issue relevant.

According to the CVSS score of 5.4, the vulnerability has a moderate severity. The EPSS score of less than 1 % indicates that the probability of a publicly available exploit is low, and the vulnerability is not listed in the CISA KEV catalog. Attackers would most likely target sites where the registration form is publicly exposed, sending forged POST requests to the plugin’s endpoint. While no widespread exploitation has been reported, the low EPSS does not eliminate the risk to high‑value sites that rely on the plugin for user registration.