CVE-2025-12718 is a vulnerability classified under CWE-20 (Improper Input Validation) affecting the Quick Contact Form plugin for WordPress, maintained by the vendor saadiqbal. The vulnerability exists in all versions up to and including 8.2.6. The root cause is the 'qcf_validate_form' AJAX endpoint, which accepts a user-controlled parameter that sets the 'from' email address in outgoing emails. Because this input is not properly validated or sanitized, unauthenticated attackers can manipulate it to send emails with arbitrary 'from' addresses to arbitrary recipients, effectively turning the vulnerable server into an open mail relay. This can facilitate spam campaigns, phishing attacks, or other malicious email activities that abuse the trustworthiness of the compromised server's domain. The vulnerability does not require any authentication or user interaction, making it easier to exploit remotely over the network. The CVSS v3.1 base score is 5.8, with vector AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N, indicating network attack vector, low attack complexity, no privileges or user interaction required, and a scope change due to the ability to affect other systems via email. The impact is primarily on integrity, as attackers can send unauthorized emails, but confidentiality and availability are not directly affected. No patches or fixes are currently linked, and no known exploits have been reported in the wild as of the published date (January 17, 2026).

For European organizations, this vulnerability poses a risk of their WordPress-hosted websites being abused as open mail relays. This can lead to reputational damage if their domains are used to send spam or phishing emails, potentially causing their mail servers or IP addresses to be blacklisted by email providers and security services. Such blacklisting can disrupt legitimate email communications, impacting business operations and customer trust. Additionally, attackers may leverage this vulnerability to conduct targeted phishing campaigns against European users or partners, increasing the risk of credential theft or malware infections. Organizations in sectors with strict data protection regulations, such as finance, healthcare, and government, may face compliance risks if the vulnerability leads to indirect data breaches or fraud. The ease of exploitation without authentication increases the likelihood of automated abuse attempts, making timely mitigation critical.

European organizations should immediately audit their WordPress installations to identify the presence of the Quick Contact Form plugin and its version. If the plugin is installed, they should disable or remove it until a vendor patch is available. In the absence of an official patch, organizations can implement temporary mitigations such as restricting access to the 'qcf_validate_form' AJAX endpoint via web application firewall (WAF) rules or server-level access controls to block unauthenticated requests. Additionally, configuring outbound mail servers to require authentication and to reject emails with spoofed 'from' addresses can reduce abuse. Monitoring outgoing email traffic for unusual patterns or spikes can help detect exploitation attempts. Organizations should also ensure that their email servers are properly configured with SPF, DKIM, and DMARC records to help receiving mail servers identify and reject spoofed emails. Finally, maintaining regular backups and monitoring WordPress plugin updates will facilitate prompt patching once a fix is released.