Plattform
wordpress
Komponente
helpdesk-contact-form
Behoben in
1.1.6
CVE-2025-13657 describes a Cross-Site Request Forgery (CSRF) vulnerability discovered in the HelpDesk Contact Form plugin for WordPress. This flaw allows unauthenticated attackers to manipulate plugin settings, potentially disrupting site operations. The vulnerability impacts versions from 0.0.0 through 1.1.5, and a patch is available in version 1.1.6.
The core of this vulnerability lies in the lack of proper nonce validation within the handlequeryargs() function. A CSRF attack exploits this by tricking an authenticated administrator into unknowingly executing a malicious request. Successful exploitation allows an attacker to modify critical plugin settings, such as the license ID and contact form ID. This could lead to unauthorized changes to the plugin's behavior, potentially disrupting contact form submissions, altering license information, or even disabling the plugin entirely. The impact is amplified if the plugin is heavily relied upon for customer communication or support.
This vulnerability was publicly disclosed on 2026-01-07. No public proof-of-concept (PoC) code has been released at the time of writing, but the relatively straightforward nature of CSRF vulnerabilities suggests that a PoC could emerge. The vulnerability is not currently listed on the CISA KEV catalog. The CVSS score of 4.3 indicates a medium level of severity, suggesting a moderate probability of exploitation.
WordPress sites utilizing the HelpDesk Contact Form plugin, particularly those with shared hosting environments or where administrators are routinely tricked into clicking on links from untrusted sources, are at increased risk. Sites with legacy WordPress configurations or those lacking robust security practices are also more vulnerable.
• wordpress / composer / npm:
grep -r 'handle_query_args' /var/www/html/wp-content/plugins/helpdesk-contact-form/• wordpress / composer / npm:
wp plugin list --status=all | grep 'helpdesk-contact-form'• wordpress / composer / npm:
wp plugin update helpdesk-contact-form --alldisclosure
Exploit-Status
EPSS
0.02% (3% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation is to immediately upgrade the HelpDesk Contact Form plugin to version 1.1.6 or later. If upgrading is not immediately feasible due to compatibility concerns or testing requirements, consider implementing temporary workarounds. While a direct WAF rule targeting the vulnerable endpoint might be possible, it's less effective than addressing the root cause. Carefully review any suspicious requests originating from external sources and restrict access to plugin configuration pages to trusted administrators only. Regularly audit plugin settings for unauthorized modifications.
Aktualisieren Sie auf Version 1.1.6 oder eine neuere gepatchte Version
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-13657 is a Cross-Site Request Forgery (CSRF) vulnerability affecting the HelpDesk Contact Form plugin for WordPress versions 0.0.0–1.1.5, allowing attackers to modify plugin settings.
If you are using HelpDesk Contact Form plugin versions 0.0.0 through 1.1.5, you are vulnerable to this CSRF attack.
Upgrade the HelpDesk Contact Form plugin to version 1.1.6 or later to resolve the vulnerability. Consider temporary workarounds if immediate upgrade is not possible.
While no active exploitation has been confirmed, the vulnerability's nature suggests a potential for exploitation, and it's recommended to apply the patch promptly.
Refer to the official WordPress security announcements and the HelpDesk Contact Form plugin's website for the latest information and advisory regarding CVE-2025-13657.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.