CVE-2026-1394
CSRF Vulnerability in WP Quick Contact Us Plugin Allows Settings Modification
Publication date: 2026-02-14
Last updated on: 2026-02-14
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wp_quick_contact_us | wp_quick_contact_us | to 1.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-352 | The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The WP Quick Contact Us plugin for WordPress is vulnerable to a Cross-Site Request Forgery (CSRF) attack in all versions up to and including 1.0. This vulnerability arises because the plugin's settings update functionality lacks nonce validation, which is a security measure to verify that requests are legitimate and intended by the user.
As a result, an unauthenticated attacker can trick a site administrator into performing an action, such as clicking on a malicious link, which then causes the plugin's settings to be updated without the administrator's consent.
How can this vulnerability impact me? :
This vulnerability can allow attackers to change the plugin's settings without authorization by exploiting the lack of nonce validation. Since the attacker can trick an administrator into clicking a malicious link, they can manipulate the contact form's configuration.
Potential impacts include unauthorized modification of recipient email addresses or other settings, which could lead to interception or redirection of messages, disruption of contact form functionality, or further exploitation such as email spoofing or injection attacks.
While the CVSS score is moderate (4.3), the vulnerability requires user interaction (administrator clicking a link) and does not directly compromise confidentiality or availability but can impact the integrity of the plugin's settings.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': "This vulnerability involves missing nonce validation on the settings update functionality of the WP Quick Contact Us plugin, allowing Cross-Site Request Forgery (CSRF) attacks. Detection can focus on identifying unauthorized or forged POST requests to the plugin's settings update endpoint."}, {'type': 'paragraph', 'content': "To detect potential exploitation attempts on your system or network, you can monitor HTTP POST requests targeting the plugin's admin settings page or AJAX endpoints without valid nonce tokens."}, {'type': 'list_item', 'content': "Use web server logs to search for POST requests to URLs related to the WP Quick Contact Us plugin settings, for example, requests containing 'wp-quick-contact-us' or the admin menu slug."}, {'type': 'list_item', 'content': "Check for absence of nonce parameters in POST requests to the plugin's settings update URL."}, {'type': 'list_item', 'content': 'Example command to search Apache or Nginx logs for suspicious POST requests (adjust path and log file as needed):'}, {'type': 'paragraph', 'content': "grep -i 'POST' /var/log/apache2/access.log | grep 'wp-quick-contact-us'"}, {'type': 'list_item', 'content': 'Use tools like curl or Burp Suite to manually test if the plugin settings update endpoint accepts POST requests without nonce validation.'}, {'type': 'list_item', 'content': 'Monitor for unexpected changes in plugin settings or configuration files that could indicate successful exploitation.'}] [2]
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': 'Immediate mitigation steps include preventing unauthorized changes to the plugin settings by restricting access and disabling the vulnerable plugin if possible.'}, {'type': 'list_item', 'content': 'Temporarily deactivate or uninstall the WP Quick Contact Us plugin until a patched version is available.'}, {'type': 'list_item', 'content': 'Restrict administrative access to trusted users only and ensure administrators do not click on suspicious links that could trigger CSRF attacks.'}, {'type': 'list_item', 'content': "Implement web application firewall (WAF) rules to block or monitor POST requests to the plugin's settings update endpoints lacking valid nonce tokens."}, {'type': 'list_item', 'content': 'Keep WordPress core, themes, and plugins updated to the latest versions to reduce exposure to known vulnerabilities.'}, {'type': 'paragraph', 'content': 'Long term, ensure that plugins implement proper nonce validation and capability checks to prevent CSRF vulnerabilities.'}] [2]