Description
The WP Quick Contact Us plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing nonce validation on the settings update functionality. This makes it possible for unauthenticated attackers to update the plugin's settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Published: 2026-02-14
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized configuration changes via CSRF
Action: Patch
AI Analysis

Impact

The WP Quick Contact Us plugin contains a cross‑site request forgery flaw caused by the absence of nonce validation on the settings update routine. An attacker can cause a site administrator to change the plugin’s configuration by luring them to click a crafted link, potentially disabling the contact form or redirecting submissions to malicious destinations.

Affected Systems

Dmitritechs WP Quick Contact Us is affected in all releases up to and including version 1.0. Any WordPress site running these versions is at risk.

Risk and Exploitability

The vulnerability carries a CVSS score of 4.3 and an EPSS score of less than 1 %. It is not listed in the CISA Known Exploited Vulnerabilities catalog. Exploitation requires the attacker to trick an authenticated administrator into clicking a link; thus the attack vector is user interaction only, which reduces the overall risk profile.

Generated by OpenCVE AI on April 15, 2026 at 17:14 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest version of WP Quick Contact Us, which includes nonce validation for settings updates.
  • If an upgrade is not immediately available, uninstall or disable the plugin until a patch can be applied.
  • Verify that the site’s WordPress core and any other plugins are current to prevent similar CSRF weaknesses from arising elsewhere.

Generated by OpenCVE AI on April 15, 2026 at 17:14 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 17 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 16 Feb 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Dmitritechs
Dmitritechs wp Quick Contact Us
Wordpress
Wordpress wordpress
Vendors & Products Dmitritechs
Dmitritechs wp Quick Contact Us
Wordpress
Wordpress wordpress

Sat, 14 Feb 2026 06:45:00 +0000

Type Values Removed Values Added
Description The WP Quick Contact Us plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing nonce validation on the settings update functionality. This makes it possible for unauthenticated attackers to update the plugin's settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Title WP Quick Contact Us <= 1.0 - Cross-Site Request Forgery to Settings Update
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Subscriptions

Dmitritechs Wp Quick Contact Us
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:14:30.886Z

Reserved: 2026-01-23T21:03:57.329Z

Link: CVE-2026-1394

cve-icon Vulnrichment

Updated: 2026-02-17T15:36:39.810Z

cve-icon NVD

Status : Deferred

Published: 2026-02-14T07:16:10.343

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-1394

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T17:30:10Z

Weaknesses