Description
Cross-Site Request Forgery (CSRF) vulnerability in Saad Iqbal Quick Contact Form quick-contact-form allows Cross Site Request Forgery.This issue affects Quick Contact Form: from n/a through <= 8.2.5.
Published: 2025-12-09
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Quick Contact Form plugin contains a Cross‑Site Request Forgery (CSRF) vulnerability that enables an attacker to forge form submissions on behalf of an authenticated site user. This weakness (CWE‑352) could result in the attacker posting unwanted content, modifying configuration data, or performing other privileged actions within the scope of the user’s access rights.

Affected Systems

In WordPress sites, any installation of Saad Iqbal Quick Contact Form from a version before the release of 8.2.6 (i.e., 8.2.5 and earlier) is affected. All users who have logged into the site while the vulnerable plugin is active are at risk.

Risk and Exploitability

The CVSS score of 4.3 reflects a moderate impact. The EPSS score of less than 1% suggests that early exploitation is unlikely and no widespread public exploits are reported, as the vulnerability is not listed in the CISA KEV catalog. Exploitation typically requires that an authenticated user visits a crafted URL or interacts with a malicious link while their session is active. Because it is a typical CSRF scenario, the attack vector is inferred to be a user‑initiated request, often via a malicious webpage or email link.

Generated by OpenCVE AI on April 29, 2026 at 19:45 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Saad Iqbal Quick Contact Form to version 8.2.6 or later, as the fix is included in newer releases.
  • If an immediate upgrade is not possible, remove or deactivate the Quick Contact Form plugin until the update can be applied.
  • Review and enforce CSRF protections on all site forms, ensuring that unique nonces are generated and validated for every state‑changing request.

Generated by OpenCVE AI on April 29, 2026 at 19:45 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 27 Apr 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

 ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Thu, 11 Dec 2025 20:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 10 Dec 2025 18:00:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Tue, 09 Dec 2025 14:30:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in Saad Iqbal Quick Contact Form quick-contact-form allows Cross Site Request Forgery.This issue affects Quick Contact Form: from n/a through <= 8.2.5.
Title WordPress Quick Contact Form plugin <= 8.2.5 - Cross Site Request Forgery (CSRF) vulnerability
Weaknesses CWE-352
References

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:14:19.604Z

Reserved: 2025-12-08T16:00:53.489Z

Link: CVE-2025-67471

cve-icon Vulnrichment

Updated: 2025-12-11T19:02:18.504Z

cve-icon NVD

Status : Deferred

Published: 2025-12-09T16:18:23.417

Modified: 2026-04-27T18:16:39.550

Link: CVE-2025-67471

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T20:00:18Z

Weaknesses