Platform
wordpress
Component
wp-quick-contact-us
Fixed in
1.0.1
CVE-2026-1394 describes a Cross-Site Request Forgery (CSRF) vulnerability discovered in the WP Quick Contact Us plugin for WordPress. This flaw allows unauthenticated attackers to modify the plugin's settings if they can trick a site administrator into performing a malicious action. The vulnerability impacts versions 1.0.0 through 1.0, and a fix is expected in a future plugin release.
An attacker exploiting this CSRF vulnerability could potentially alter the behavior of the WP Quick Contact Us plugin without requiring authentication. This could involve changing contact form fields, redirect URLs, or other settings, leading to unexpected behavior or even malicious actions performed on behalf of the administrator. The impact is amplified if the plugin is heavily relied upon for critical communication or data collection, as an attacker could manipulate these processes. While the vulnerability requires social engineering to trick an administrator, the potential consequences could be significant, including data breaches or website defacement.
CVE-2026-1394 was publicly disclosed on 2026-02-14. No public proof-of-concept (PoC) code is currently available, but the vulnerability's nature makes it relatively straightforward to exploit. The EPSS score is likely to be assessed as low to medium, given the requirement for user interaction (administrator clicking a malicious link). Monitor security advisories and plugin updates for further information.
Exploit Status
EPSS
0.01% (2% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-1394 is to upgrade to a patched version of the WP Quick Contact Us plugin as soon as it becomes available. Until a patch is released, consider implementing temporary workarounds such as restricting access to the plugin's settings page to specific administrator roles or using a WordPress security plugin that provides CSRF protection. Web Application Firewalls (WAFs) configured to detect and block suspicious CSRF requests can also offer some protection. Regularly review WordPress plugin settings for any unauthorized changes.
No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-1394 is a Cross-Site Request Forgery (CSRF) vulnerability affecting the WP Quick Contact Us plugin for WordPress versions 1.0.0–1.0, allowing attackers to modify plugin settings via forged requests.
If you are using the WP Quick Contact Us plugin in versions 1.0.0–1.0, you are potentially affected by this vulnerability. Upgrade as soon as a patch is available.
The recommended fix is to upgrade to a patched version of the WP Quick Contact Us plugin. Until a patch is released, consider temporary workarounds like restricting access to plugin settings.
While no active exploitation has been confirmed, the vulnerability's nature makes it easily exploitable, so vigilance is advised.
Refer to the WP Quick Contact Us plugin developer's website or WordPress plugin repository for the official advisory and patch release.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.