CVE-2025-13657
CSRF Vulnerability in HelpDesk WordPress Plugin Allows Settings Manipulation
Publication date: 2026-01-07
Last updated on: 2026-04-08
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| unknown_vendor | helpdesk_contact_form | to 1.1.5 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-352 | The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if the HelpDesk Contact Form WordPress plugin is installed and running a version up to and including 1.1.5. Specifically, you can look for the presence of URL query parameters `licenseID` and `contactFormID` being handled without nonce verification in the admin interface. To detect potential exploitation attempts on your system, you can monitor HTTP requests to the WordPress admin pages for suspicious GET requests containing these parameters. For example, you can use web server logs or network monitoring tools to search for requests like: `GET /wp-admin/admin.php?page=helpdesk&licenseID=...&contactFormID=...`. Suggested commands to detect such requests in web server logs (assuming Apache logs): 1. Using grep to find requests with licenseID or contactFormID: ``` grep -i 'licenseID' /var/log/apache2/access.log ``` ``` grep -i 'contactFormID' /var/log/apache2/access.log ``` 2. Using grep with both parameters: ``` grep -i 'licenseID' /var/log/apache2/access.log | grep -i 'contactFormID' ``` 3. Using tcpdump to capture HTTP traffic and filter for these parameters (replace `eth0` with your interface): ``` tcpdump -i eth0 -A 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep --line-buffered -E 'licenseID|contactFormID' ``` Note that detection relies on monitoring for these specific query parameters in admin requests, as the vulnerability involves updating license and contact form IDs via forged requests without nonce validation. Also, ensure you verify the plugin version to confirm vulnerability. No direct detection commands are provided in the resources, but monitoring for these parameters in admin URLs is a practical approach. [1, 3]
Can you explain this vulnerability to me?
This vulnerability is a Cross-Site Request Forgery (CSRF) issue in the HelpDesk contact form plugin for WordPress, affecting all versions up to and including 1.1.5. It occurs because the plugin's handle_query_args() function lacks proper nonce validation, allowing unauthenticated attackers to trick a site administrator into performing actions like updating the plugin's license ID and contact form ID settings via a forged request.
How can this vulnerability impact me? :
An attacker can exploit this vulnerability to change important plugin settings such as the license ID and contact form ID without authentication, by tricking an administrator into clicking a malicious link. This could lead to unauthorized configuration changes that may disrupt service or enable further attacks.
What immediate steps should I take to mitigate this vulnerability?
Update the HelpDesk contact form plugin for WordPress to a version later than 1.1.5 where the nonce validation issue in the handle_query_args() function is fixed. Additionally, avoid clicking on suspicious links and ensure site administrators are aware of the risk of Cross-Site Request Forgery attacks.