Platform
wordpress
Component
quick-contact-form
Fixed in
8.2.6
A Cross-Site Request Forgery (CSRF) vulnerability exists in the Quick Contact Form WordPress plugin, impacting versions from 0.0.0 up to and including 8.2.5. This flaw allows an attacker to trick authenticated users into performing actions they did not intend, potentially leading to unauthorized data modification or malicious form submissions. The vulnerability has been resolved in version 8.2.6, and users are strongly advised to upgrade.
The CSRF vulnerability in Quick Contact Form allows an attacker to exploit authenticated users of the WordPress site. An attacker could craft malicious links or embed hidden forms on other websites that, when visited by an authenticated user, would trigger actions within the Quick Contact Form plugin without the user's knowledge. This could involve submitting malicious contact forms with arbitrary data, potentially leading to spam, phishing attacks, or even unauthorized modifications to the website's configuration. The blast radius extends to any user with access to the WordPress admin panel or any functionality exposed through the Quick Contact Form plugin.
The vulnerability was publicly disclosed on 2025-12-09. No known public proof-of-concept exploits are currently available, but the CSRF nature of the vulnerability means it is relatively easy to exploit. The EPSS score is likely to be assessed as medium due to the ease of exploitation and potential impact. It is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.02% (6% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-67471 is to upgrade the Quick Contact Form plugin to version 8.2.6 or later. If immediate upgrade is not possible due to compatibility issues or breaking changes, consider implementing a Web Application Firewall (WAF) with CSRF protection rules to filter out malicious requests. Additionally, ensure that all contact forms utilize proper CSRF tokens to validate user input. For detection, monitor WordPress logs for unusual form submission patterns or unexpected activity originating from external sources. After the upgrade, confirm the fix by attempting a CSRF attack via a known vulnerable endpoint and verifying that the request is blocked.
Update to version 8.2.6, or a newer patched version
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-67471 is a Cross-Site Request Forgery (CSRF) vulnerability affecting the Quick Contact Form WordPress plugin, allowing attackers to perform unauthorized actions on behalf of authenticated users.
You are affected if you are using the Quick Contact Form plugin in WordPress versions 0.0.0 through 8.2.5. Upgrade to 8.2.6 or later to mitigate the risk.
The recommended fix is to upgrade the Quick Contact Form plugin to version 8.2.6 or a later version. Consider implementing WAF rules as a temporary workaround.
While no active exploitation campaigns have been confirmed, the CSRF nature of the vulnerability makes it relatively easy to exploit, and exploitation is possible.
Refer to the Quick Contact Form plugin's official website or WordPress plugin repository for the latest advisory and update information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.