CVE-2025-12718
📋 TL;DR
The Quick Contact Form WordPress plugin contains an open mail relay vulnerability that allows unauthenticated attackers to send emails with arbitrary 'from' addresses using the website's server. This affects all WordPress sites using Quick Contact Form version 8.2.6 or earlier. Attackers can abuse this to send spam or phishing emails that appear to originate from the vulnerable website.
💻 Affected Systems
- Quick Contact Form WordPress Plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers send large volumes of spam/phishing emails from your domain, causing domain/IP blacklisting, reputation damage, and potential legal liability for abuse.
Likely Case
Spam campaigns using your server resources and domain reputation, potentially leading to email deliverability issues and increased server load.
If Mitigated
Limited impact if email sending is rate-limited or monitored, but still represents unauthorized use of resources.
🎯 Exploit Status
Simple HTTP POST request to the vulnerable AJAX endpoint with manipulated parameters.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 8.2.7 or later
Restart Required: No
Instructions:
1. Log into WordPress admin panel
2. Navigate to Plugins → Installed Plugins
3. Find Quick Contact Form
4. Click 'Update Now' if available
5. If no update appears, manually download version 8.2.7+ from WordPress.org
6. Deactivate old version, upload new version, activate
🔧 Temporary Workarounds
Disable Quick Contact Form Plugin
allTemporarily deactivate the vulnerable plugin until patched
wp plugin deactivate quick-contact-form
Block Vulnerable Endpoint
linuxAdd web application firewall rule to block access to qcf_validate_form AJAX endpoint
# Example .htaccess rule for Apache:
RewriteEngine On
RewriteCond %{REQUEST_URI} ^/wp-admin/admin-ajax\.php$
RewriteCond %{QUERY_STRING} action=qcf_validate_form
RewriteRule ^ - [F]
🧯 If You Can't Patch
- Deactivate the Quick Contact Form plugin immediately
- Implement rate limiting on email sending and monitor for unusual outbound email activity
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Quick Contact Form version number. If version is 8.2.6 or lower, you are vulnerable.Check Version:
wp plugin get quick-contact-form --field=versionVerify Fix Applied:
Verify plugin version is 8.2.7 or higher in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- Unusual volume of POST requests to /wp-admin/admin-ajax.php with action=qcf_validate_form
- Spike in outbound email traffic from web server
Network Indicators:
- Multiple email delivery attempts from web server IP
- Unusual SMTP traffic patterns from web application
SIEM Query:
source="web_server_logs" AND uri="/wp-admin/admin-ajax.php" AND query="action=qcf_validate_form" | stats count by src_ip