CVE-2025-12718

The Quick Contact Form plugin for WordPress is vulnerable to Open Mail Relay in all versions up to, and including, 8.2.6. This is due to the 'qcf_validate_form' AJAX endpoint allowing a user controlled parameter to set the 'from' email address. This makes it possible for unauthenticated attackers to send emails to arbitrary recipients utilizing the server. The information is limited to the contact form submission details.

CVSS v3 5.8 MEDIUM

5.8^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3433286%40quick-contact-form&new=3433286%40quick-contact-form&sfp_email=&sfph_mail=
https://www.wordfence.com/threat-intel/vulnerabilities/id/dc7ba538-a7ee-48c8-996c-b8db1934fdeb?source=cve

Configurations

No configuration.

History

15 Apr 2026, 00:35

Type	Values Removed	Values Added
Summary		(es) El plugin Quick Contact Form para WordPress es vulnerable a Open Mail Relay en todas las versiones hasta la 8.2.6, inclusive. Esto se debe a que el endpoint AJAX 'qcf_validate_form' permite que un parámetro controlado por el usuario establezca la dirección de correo electrónico 'from'. Esto hace posible que atacantes no autenticados envíen correos electrónicos a destinatarios arbitrarios utilizando el servidor. La información se limita a los detalles de envío del formulario de contacto.

17 Jan 2026, 03:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-01-17 03:16

Updated : 2026-04-15 00:35

NVD link : CVE-2025-12718

Mitre link : CVE-2025-12718

CVE.ORG link : CVE-2025-12718

JSON object : View

Products Affected

No product.

CWE

CWE-20

Improper Input Validation

5.8 /10