CVE-2019-25734 MEDIUM

CVE-2019-25734: Contact Form by WD 1.13.1 CSRF to Local File Inclusion

Vendor Web-Dorado
Product Contact Form Maker
Weakness CWE-22 · Path traversal
Published June 4, 2026
Last update June 4, 2026

CVSS base score

5.1/10
Attack vector Local
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L

What the vulnerability does

01Description

Contact Form by WD 1.13.1 contains a cross-site request forgery vulnerability combined with local file inclusion that allows unauthenticated attackers to include arbitrary files by exploiting unsanitized action parameters. Attackers can craft malicious forms targeting the admin-ajax.php endpoint with directory traversal sequences in the GET action parameter to load files via CSRF, bypassing authentication on vulnerable AJAX actions.

Key dates

02Disclosure timeline

June 4, 2026 CVE published
June 4, 2026 Record updated