CVSS base score
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
What the vulnerability does
The Professional Contact Form plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.0. This is due to missing or incorrect nonce validation on the watch_for_contact_form_submit function. This makes it possible for unauthenticated attackers to trigger test email sending via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Explanation of Vulnerability in Simple Terms
Professional Contact Form versions 1.0.0 and earlier are vulnerable to cross-site request forgery (CSRF) attacks. An attacker can craft a malicious webpage that, when visited by a site administrator, performs unwanted actions on the contact form without their knowledge. The vulnerability requires the admin to visit the attacker's page while logged in. No sensitive data is exposed, but form settings or submissions could be modified.
What an attacker can do
Trick a logged-in admin into modifying contact form settings or submissions via a malicious webpage.
Potential impact on your site
Contact form configuration or data could be altered without your knowledge if you visit a malicious link.
Conditions required to exploit
Admin must visit attacker-controlled webpage while logged into the site.
Key dates
External resources
Related vulnerabilities
