Description
Cross-Site Request Forgery (CSRF) vulnerability in cimatti Contact Forms by Cimatti contact-forms allows Cross Site Request Forgery.This issue affects Contact Forms by Cimatti: from n/a through <= 1.9.8.
Published: 2025-06-02
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a Cross‑Site Request Forgery (CWE‑352) that allows remote attackers to trick authenticated WordPress users into submitting unintended requests through the Contact Forms by Cimatti plugin. The flaw exists in plugin versions up to 1.9.8 and can enable malicious actions performed with the victim’s privileges, potentially exposing sensitive data or manipulating form submissions.

Affected Systems

The affected product is the WordPress plugin Contact Forms by Cimatti found in any WordPress installation that has a plugin version of 1.9.8 or earlier. The vendor is cimatti, and the product is Contact Forms by Cimatti.

Risk and Exploitability

The CVSS score is 4.3, indicating a medium impact. The EPSS score is less than 1 %, showing a low likelihood that the vulnerability will be exploited in the wild. The vulnerability is not listed in the CISA KEV catalog. Based on the description, it is inferred that attackers would need to target authenticated users who have access to the plugin’s administration or form pages; the exploit path typically involves a crafted request that is sent when a user inadvertently visits a malicious site. Because the flaw is a CSRF, the attacker does not need to compromise the WordPress installation directly, but rather relies on user interaction.

Generated by OpenCVE AI on April 30, 2026 at 18:45 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to the latest released version of Contact Forms by Cimatti.
  • If an upgrade cannot be performed immediately, restrict network access to the plugin’s administrative and form endpoints so that only authenticated users can reach them.
  • Verify that any available CSRF protection settings in the plugin are enabled, and consider adding a custom CSRF token to form submissions if the plugin does not provide it by default.

Generated by OpenCVE AI on April 30, 2026 at 18:45 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-16689 Cross-Site Request Forgery (CSRF) vulnerability in Cimatti Consulting Contact Forms by Cimatti allows Cross Site Request Forgery.This issue affects Contact Forms by Cimatti: from n/a through 1.9.8.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in Cimatti Consulting Contact Forms by Cimatti allows Cross Site Request Forgery.This issue affects Contact Forms by Cimatti: from n/a through 1.9.8. Cross-Site Request Forgery (CSRF) vulnerability in cimatti Contact Forms by Cimatti contact-forms allows Cross Site Request Forgery.This issue affects Contact Forms by Cimatti: from n/a through <= 1.9.8.
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Tue, 03 Jun 2025 02:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 02 Jun 2025 19:00:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in Cimatti Consulting Contact Forms by Cimatti allows Cross Site Request Forgery.This issue affects Contact Forms by Cimatti: from n/a through 1.9.8.
Title WordPress Contact Forms by Cimatti plugin <= 1.9.8 - Cross Site Request Forgery (CSRF) vulnerability
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:58.612Z

Reserved: 2025-05-30T14:04:49.666Z

Link: CVE-2025-49069

cve-icon Vulnrichment

Updated: 2025-06-03T01:59:26.131Z

cve-icon NVD

Status : Deferred

Published: 2025-06-02T19:15:28.680

Modified: 2026-04-23T15:31:16.520

Link: CVE-2025-49069

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T19:00:14Z

Weaknesses
  • CWE-352

    Cross-Site Request Forgery (CSRF)