A WP Life Contact Form Widget plugin versions up to and including 1.5.1 contain a Cross‑Site Request Forgery flaw that permits an attacker to craft and submit forged HTTP requests from a victim’s web browser. When a logged‑in user visits a malicious page, the victim’s credentials are automatically used to perform unintended actions through the plugin’s endpoints. This can lead to unauthorized data submissions, configuration changes, or other state‑changing operations without the user’s knowledge, compromising data integrity and possibly exposing sensitive information.

The vulnerability affects the WordPress plugin A WP Life Contact Form Widget, specifically all releases from the first build up to and including version 1.5.1. WordPress sites with this plugin installed are at risk.

The CVSS score of 5.4 indicates moderate severity, and the EPSS score of less than 1 % shows a very low probability of exploitation at present. The vulnerability is not listed in CISA’s KEV catalog, so there is no evidence of widespread active exploitation. Attackers would need to entice a victim to visit a crafted page or otherwise induce the victim’s browser to issue the forged request, which is characteristic of a web‑based CSRF vector. Given the low exploit likelihood and moderate impact, the threat remains manageable but should be mitigated promptly.