Platform
wordpress
Component
wp-quick-contact-us
Opgelost in
1.0.1
CVE-2026-1394 describes a Cross-Site Request Forgery (CSRF) vulnerability discovered in the WP Quick Contact Us plugin for WordPress. This flaw allows unauthenticated attackers to modify the plugin's settings if they can trick a site administrator into performing a malicious action. The vulnerability impacts versions 1.0.0 through 1.0, and a fix is expected in a future plugin release.
An attacker exploiting this CSRF vulnerability could potentially alter the behavior of the WP Quick Contact Us plugin without requiring authentication. This could involve changing contact form fields, redirect URLs, or other settings, leading to unexpected behavior or even malicious actions performed on behalf of the administrator. The impact is amplified if the plugin is heavily relied upon for critical communication or data collection, as an attacker could manipulate these processes. While the vulnerability requires social engineering to trick an administrator, the potential consequences could be significant, including data breaches or website defacement.
CVE-2026-1394 was publicly disclosed on 2026-02-14. No public proof-of-concept (PoC) code is currently available, but the vulnerability's nature makes it relatively straightforward to exploit. The EPSS score is likely to be assessed as low to medium, given the requirement for user interaction (administrator clicking a malicious link). Monitor security advisories and plugin updates for further information.
Websites utilizing the WP Quick Contact Us plugin, particularly those with administrator accounts that are frequently targeted by phishing attacks, are at risk. Shared hosting environments where multiple websites share the same server resources are also potentially vulnerable, as a compromised website could be used to target other sites on the same server.
• wordpress / composer / npm:
grep -r 'wp_quick_contact_us_settings_update' /var/www/html/wp-content/plugins/• wordpress / composer / npm:
wp plugin list --status=all | grep "WP Quick Contact Us"• wordpress / composer / npm:
wp plugin update --alldisclosure
Exploit Status
EPSS
0.01% (2% percentiel)
CISA SSVC
CVSS-vector
The primary mitigation for CVE-2026-1394 is to upgrade to a patched version of the WP Quick Contact Us plugin as soon as it becomes available. Until a patch is released, consider implementing temporary workarounds such as restricting access to the plugin's settings page to specific administrator roles or using a WordPress security plugin that provides CSRF protection. Web Application Firewalls (WAFs) configured to detect and block suspicious CSRF requests can also offer some protection. Regularly review WordPress plugin settings for any unauthorized changes.
Geen bekende patch beschikbaar. Bestudeer de details van de kwetsbaarheid grondig en pas mitigaties toe op basis van de risicotolerantie van uw organisatie. Het kan het beste zijn om de getroffen software te verwijderen en een vervanging te vinden.
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2026-1394 is a Cross-Site Request Forgery (CSRF) vulnerability affecting the WP Quick Contact Us plugin for WordPress versions 1.0.0–1.0, allowing attackers to modify plugin settings via forged requests.
If you are using the WP Quick Contact Us plugin in versions 1.0.0–1.0, you are potentially affected by this vulnerability. Upgrade as soon as a patch is available.
The recommended fix is to upgrade to a patched version of the WP Quick Contact Us plugin. Until a patch is released, consider temporary workarounds like restricting access to plugin settings.
While no active exploitation has been confirmed, the vulnerability's nature makes it easily exploitable, so vigilance is advised.
Refer to the WP Quick Contact Us plugin developer's website or WordPress plugin repository for the official advisory and patch release.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.