Description
Cross-Site Request Forgery (CSRF) vulnerability in Erik AntiSpam for Contact Form 7 cf7-antispam allows Cross Site Request Forgery.This issue affects AntiSpam for Contact Form 7: from n/a through <= 0.6.3.
Published: 2025-07-16
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a Cross‑Site Request Forgery flaw in the Erik AntiSpam for Contact Form 7 plugin. It permits an attacker to craft a request that causes a legitimate authenticated user to unknowingly perform privileged actions on the site, potentially altering or deleting contact form entries or other settings. The weakness corresponds to CWE‑352, indicating missing or inadequate CSRF protection.

Affected Systems

The issue affects the WordPress AntiSpam for Contact Form 7 plugin by Erik. Versions from any released version up through and including 0.6.3 are vulnerable. Administrators using any of these releases are at risk.

Risk and Exploitability

The published CVSS score of 5.4 represents moderate severity, and the EPSS score of less than 1 % suggests a low likelihood of widespread exploitation. The vulnerability is not currently listed in the CISA KEV catalog. An attacker would launch the attack from an external malicious site that lures a logged‑in user to submit a forged request to the vulnerable endpoint, taking advantage of the missing CSRF token.

Generated by OpenCVE AI on April 30, 2026 at 09:40 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the AntiSpam for Contact Form 7 plugin to a version newer than 0.6.3; if a newer release is not yet available, contact Erik for a fix or temporarily disable the plugin entirely.
  • If an immediate update is impossible, block or restrict the vulnerable endpoint by whitelisting trusted IP addresses or enforcing stricter authentication before allowing form submissions.
  • Implement a site‑wide CSRF protection mechanism, such as ensuring all forms use WordPress nonces or custom tokens that must be validated before processing requests.

Generated by OpenCVE AI on April 30, 2026 at 09:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-21674 Cross-Site Request Forgery (CSRF) vulnerability in Erik AntiSpam for Contact Form 7 allows Cross Site Request Forgery. This issue affects AntiSpam for Contact Form 7: from n/a through 0.6.3.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in Erik AntiSpam for Contact Form 7 allows Cross Site Request Forgery. This issue affects AntiSpam for Contact Form 7: from n/a through 0.6.3. Cross-Site Request Forgery (CSRF) vulnerability in Erik AntiSpam for Contact Form 7 cf7-antispam allows Cross Site Request Forgery.This issue affects AntiSpam for Contact Form 7: from n/a through <= 0.6.3.
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L'}

Wed, 16 Jul 2025 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 16 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00033}

Wed, 16 Jul 2025 10:45:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in Erik AntiSpam for Contact Form 7 allows Cross Site Request Forgery. This issue affects AntiSpam for Contact Form 7: from n/a through 0.6.3.
Title WordPress AntiSpam for Contact Form 7 plugin <= 0.6.3 - Cross Site Request Forgery (CSRF) Vulnerability
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:13:28.963Z

Reserved: 2025-07-16T08:51:37.993Z

Link: CVE-2025-54020

cve-icon Vulnrichment

Updated: 2025-07-16T19:57:43.177Z

cve-icon NVD

Status : Deferred

Published: 2025-07-16T11:15:29.507

Modified: 2026-04-23T15:32:42.887

Link: CVE-2025-54020

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T09:45:25Z

Weaknesses