平台
wordpress
组件
quick-contact-form
修复版本
8.2.6
A Cross-Site Request Forgery (CSRF) vulnerability exists in the Quick Contact Form WordPress plugin, impacting versions from 0.0.0 up to and including 8.2.5. This flaw allows an attacker to trick authenticated users into performing actions they did not intend, potentially leading to unauthorized data modification or malicious form submissions. The vulnerability has been resolved in version 8.2.6, and users are strongly advised to upgrade.
The CSRF vulnerability in Quick Contact Form allows an attacker to exploit authenticated users of the WordPress site. An attacker could craft malicious links or embed hidden forms on other websites that, when visited by an authenticated user, would trigger actions within the Quick Contact Form plugin without the user's knowledge. This could involve submitting malicious contact forms with arbitrary data, potentially leading to spam, phishing attacks, or even unauthorized modifications to the website's configuration. The blast radius extends to any user with access to the WordPress admin panel or any functionality exposed through the Quick Contact Form plugin.
The vulnerability was publicly disclosed on 2025-12-09. No known public proof-of-concept exploits are currently available, but the CSRF nature of the vulnerability means it is relatively easy to exploit. The EPSS score is likely to be assessed as medium due to the ease of exploitation and potential impact. It is not currently listed on the CISA KEV catalog.
Websites utilizing the Quick Contact Form plugin, particularly those with user authentication and contact form submission features, are at risk. Shared hosting environments where multiple WordPress sites share the same server resources are also at increased risk, as a compromise on one site could potentially impact others.
• wordpress / composer / npm:
grep -r 'quick-contact-form/includes/quick-contact-form.php' . | grep -i 'wp_send_redirect'• generic web:
curl -I https://your-wordpress-site.com/wp-content/plugins/quick-contact-form/ | grep -i 'quick-contact-form'disclosure
漏洞利用状态
EPSS
0.02% (6% 百分位)
CISA SSVC
CVSS 向量
The primary mitigation for CVE-2025-67471 is to upgrade the Quick Contact Form plugin to version 8.2.6 or later. If immediate upgrade is not possible due to compatibility issues or breaking changes, consider implementing a Web Application Firewall (WAF) with CSRF protection rules to filter out malicious requests. Additionally, ensure that all contact forms utilize proper CSRF tokens to validate user input. For detection, monitor WordPress logs for unusual form submission patterns or unexpected activity originating from external sources. After the upgrade, confirm the fix by attempting a CSRF attack via a known vulnerable endpoint and verifying that the request is blocked.
更新到 8.2.6 版本,或更新的修复版本
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2025-67471 is a Cross-Site Request Forgery (CSRF) vulnerability affecting the Quick Contact Form WordPress plugin, allowing attackers to perform unauthorized actions on behalf of authenticated users.
You are affected if you are using the Quick Contact Form plugin in WordPress versions 0.0.0 through 8.2.5. Upgrade to 8.2.6 or later to mitigate the risk.
The recommended fix is to upgrade the Quick Contact Form plugin to version 8.2.6 or a later version. Consider implementing WAF rules as a temporary workaround.
While no active exploitation campaigns have been confirmed, the CSRF nature of the vulnerability makes it relatively easy to exploit, and exploitation is possible.
Refer to the Quick Contact Form plugin's official website or WordPress plugin repository for the latest advisory and update information.
上传你的依赖文件,立即了解此CVE和其他CVE是否影响你。