CVE-2025-12718
BaseFortify
Publication date: 2026-01-17
Last updated on: 2026-01-17
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| unknown_vendor | quick_contact_form | to 8.2.6 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-20 | The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The Quick Contact Form plugin for WordPress has a vulnerability called Open Mail Relay in versions up to 8.2.6. This happens because the 'qcf_validate_form' AJAX endpoint allows an attacker to control the 'from' email address parameter. As a result, unauthenticated attackers can send emails to arbitrary recipients using the server, exploiting the contact form submission details.
How can this vulnerability impact me? :
This vulnerability allows unauthenticated attackers to send emails from your server to arbitrary recipients, potentially leading to your server being used for spam or phishing attacks. This misuse can damage your server's reputation, cause blacklisting of your email server, and may lead to increased security risks or operational issues.
What immediate steps should I take to mitigate this vulnerability?
Update the Quick Contact Form WordPress plugin to version 8.2.7 or later, which includes security enhancements that sanitize the email input to prevent exploitation of the Open Mail Relay vulnerability. [1]