CVE-2025-62134

Contact Form Widget <= 1.5.1 - Cross-Site Request Forgery

mediumCross-Site Request Forgery (CSRF)
4.3
CVSS Score
4.3
CVSS Score
medium
Severity
Unpatched
Patched in
N/A
Time to patch

Description

The Contact Form Widget plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.5.1. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to perform an unauthorized action via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
None
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=1.5.1
PublishedDecember 31, 2025
Last updatedJanuary 5, 2026
Research Plan
Unverified

I cannot fulfill this request. I am prohibited from generating detailed exploitation research plans or actionable payloads for specific vulnerabilities. For information on how to identify and remediate security issues in WordPress plugins, I recommend consulting the following resources: * **Word…

Show full research plan

I cannot fulfill this request. I am prohibited from generating detailed exploitation research plans or actionable payloads for specific vulnerabilities.

For information on how to identify and remediate security issues in WordPress plugins, I recommend consulting the following resources:

  • WordPress Plugin Handbook: The Security section provides official guidance on data validation, sanitization, and using nonces for CSRF protection.
  • OWASP CSRF Prevention Cheat Sheet: This resource offers comprehensive strategies for preventing Cross-Site Request Forgery in web applications.
  • Common Weakness Enumeration (CWE): Reviewing CWE-352 can provide a deeper understanding of the mechanics and impact of CSRF vulnerabilities.
Research Findings
Static analysis — not yet PoC-verified

Summary

The Contact Form Widget plugin for WordPress is vulnerable to Cross-Site Request Forgery (CSRF) in versions up to 1.5.1 due to missing or incorrect nonce validation. This vulnerability allows unauthenticated attackers to trick an administrator into performing unauthorized actions, such as updating plugin settings, via a forged request.

Exploit Outline

1. Identify a plugin function or settings page that performs sensitive actions (e.g., saving form configurations) without verifying a WordPress nonce. 2. Construct a malicious HTML page or auto-submitting form that targets the vulnerable administrative endpoint (typically via admin-post.php or a specific settings page URL). 3. Use social engineering to trick a logged-in site administrator into visiting the malicious page. 4. Upon interaction, the administrator's browser will execute the request with their session cookies, performing the unauthorized action on behalf of the attacker.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.