Description
The Professional Contact Form plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.0. This is due to missing or incorrect nonce validation on the watch_for_contact_form_submit function. This makes it possible for unauthenticated attackers to trigger test email sending via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Published: 2025-09-27
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unintended Email Sending
Action: Patch
AI Analysis

Impact

The Professional Contact Form plugin for WordPress contains a Cross‑Site Request Forgery flaw caused by missing or incorrect nonce validation in the watch_for_contact_form_submit handler. An unauthenticated attacker can force a site administrator to unknowingly trigger the plugin’s test‑email function, causing the server to send emails to arbitrary addresses. This allows the attacker to generate spam or phishing messages from the legitimate site, potentially damaging the site’s reputation and abusing its mail server. The weakness corresponds to CWE‑352.

Affected Systems

The vulnerability affects the kelderic Professional Contact Form plugin for WordPress, in all released versions up to and including 1.0.0. The plugin is available for download and installation from the WordPress plugin repository.

Risk and Exploitability

The CVSS score is 4.3, indicating a medium impact level. The EPSS score is less than 1 %, suggesting a very low probability of exploitation at present. The flaw is not listed in the CISA KEV catalog. The likely attack vector requires the attacker to lure a site administrator into clicking a crafted link or submitting a forged request; no network‑level exposure is needed. Because the vulnerability is limited to an admin action, the overall risk is moderate, but organizations with active users might still suffer email reputation damage if an attack succeeds.

Generated by OpenCVE AI on April 20, 2026 at 19:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Professional Contact Form plugin to the latest version that implements proper CSRF protection and nonce validation.
  • If an update is not available, contact the vendor to request a patch or alternative resolution.
  • While awaiting a fix, restrict or disable the test‑email functionality in the plugin, or enforce stricter admin authentication controls to prevent accidental execution of the vulnerable request.

Generated by OpenCVE AI on April 20, 2026 at 19:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-31411 The Professional Contact Form plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.0. This is due to missing or incorrect nonce validation on the watch_for_contact_form_submit function. This makes it possible for unauthenticated attackers to trigger test email sending via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
History

Mon, 29 Sep 2025 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 29 Sep 2025 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Sat, 27 Sep 2025 07:00:00 +0000

Type Values Removed Values Added
Description The Professional Contact Form plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.0. This is due to missing or incorrect nonce validation on the watch_for_contact_form_submit function. This makes it possible for unauthenticated attackers to trigger test email sending via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Title Professional Contact Form <= 1.0.0 - Cross-Site Request Forgery to Test Email Sending
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:17:49.749Z

Reserved: 2025-09-03T13:05:44.835Z

Link: CVE-2025-9944

cve-icon Vulnrichment

Updated: 2025-09-29T19:10:30.592Z

cve-icon NVD

Status : Deferred

Published: 2025-09-27T07:15:35.243

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-9944

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T19:30:06Z

Weaknesses