CVE-2025-12718 MEDIUM

CVE-2025-12718: Quick Contact Form <= 8.2.6 - Unauthenticated Open Mail Relay

Vendor Saadiqbal

Product Quick Contact Form

Weakness CWE-20 · Input validation

Published January 17, 2026

Last update April 8, 2026

View on NVD All CVEs

CVSS base score

5.8/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction None

Confidentiality None

Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N

What the vulnerability does

01Description

The Quick Contact Form plugin for WordPress is vulnerable to Open Mail Relay in all versions up to, and including, 8.2.6. This is due to the 'qcf_validate_form' AJAX endpoint allowing a user controlled parameter to set the 'from' email address. This makes it possible for unauthenticated attackers to send emails to arbitrary recipients utilizing the server. The information is limited to the contact form submission details.

Key dates

02Disclosure timeline

January 17, 2026 CVE published

April 8, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2025-12718

Related vulnerabilities

CVE-2025-12718: Quick Contact Form <= 8.2.6 - Unauthenticated Open Mail Relay

01Description

02Disclosure timeline

03References

04Related CVE