A WP Life Contact Form Widget plugin contains a CSRF flaw that permits an attacker to force a victim’s browser to submit malicious requests to the site. By exploiting the unvalidated request handling in versions up to 1.4.6, an attacker can trigger the plugin to perform actions—such as submitting forms or changing configuration—without the user’s consent, effectively compromising the integrity of the data and potentially exposing sensitive information. The core weakness is identified as CWE-352, a flaw that allows misuse of user credentials for unintended operations.

The vulnerability affects all installations of the A WP Life Contact Form Widget plugin with a version number n/a through 1.4.6 running on WordPress sites. Any site that deploys this plugin and allows visitors to interact with it is at risk, regardless of the overall WordPress version.

The CVSS score of 7.4 classifies this issue as high severity, while the EPSS score of less than 1% indicates a low, but non-zero probability of exploitation. The vulnerability is not currently listed in CISA’s KEV catalog. An attacker can exploit the flaw via a crafted URL or a malicious web page that loads the victim’s authenticated session, causing the browser to submit a request that the plugin does not properly verify. Because the attack requires the victim to be logged in or have an active session for the targeted site, the primary vector is web‑based and typically relies on social engineering or phishing to get the victim to load the malicious content.