CVE-2025-28864
📋 TL;DR
A Cross-Site Request Forgery (CSRF) vulnerability in Planet Studio Builder for Contact Form 7 by Webconstruct WordPress plugin allows attackers to trick authenticated administrators into performing unintended actions. This affects WordPress sites using this plugin from all versions through 1.2.2. The vulnerability enables attackers to modify plugin settings or perform other administrative actions without the victim's knowledge.
💻 Affected Systems
- Planet Studio Builder for Contact Form 7 by Webconstruct WordPress plugin
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers could modify contact form configurations, inject malicious scripts, or change plugin settings to enable further attacks, potentially leading to data theft or site compromise.
Likely Case
Attackers trick administrators into changing plugin settings, potentially breaking contact form functionality or enabling other vulnerabilities.
If Mitigated
With proper CSRF protections and user awareness, the risk is limited to temporary configuration changes that can be reverted.
🎯 Exploit Status
CSRF attacks are well-understood and easy to implement; exploitation requires tricking authenticated administrators
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.2.3 or later
Restart Required: No
Instructions:
1. Log into WordPress admin panel
2. Navigate to Plugins → Installed Plugins
3. Find 'Builder for Contact Form 7 by Webconstruct'
4. Click 'Update Now' if available
5. If no update available, deactivate and delete plugin, then install fresh version 1.2.3+ from WordPress repository
🔧 Temporary Workarounds
CSRF Protection Headers
allImplement Content Security Policy (CSP) headers and SameSite cookie attributes to reduce CSRF risk
Add to .htaccess: Header set Content-Security-Policy "default-src 'self'"
Set SameSite=Strict for session cookies
Plugin Deactivation
linuxTemporarily disable the vulnerable plugin until patched
wp plugin deactivate cf7-builder
🧯 If You Can't Patch
- Implement strict access controls limiting administrative functions to trusted networks only
- Use browser extensions that block CSRF attempts and educate administrators about phishing risks
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Installed Plugins for 'Builder for Contact Form 7 by Webconstruct' version ≤1.2.2Check Version:
wp plugin list --name='Builder for Contact Form 7 by Webconstruct' --field=versionVerify Fix Applied:
Verify plugin version is 1.2.3 or higher in WordPress admin panel📡 Detection & Monitoring
Log Indicators:
- Unusual plugin configuration changes from unexpected IP addresses
- Multiple failed CSRF token validations in WordPress logs
Network Indicators:
- HTTP POST requests to wp-admin/admin-ajax.php with plugin-specific actions from non-admin referrers
SIEM Query:
source="wordpress.log" AND "admin-ajax.php" AND "action=cf7_builder" AND NOT referer="*wp-admin*"