CVE-2025-12718 identifies a vulnerability in the Quick Contact Form plugin for WordPress, specifically in all versions up to and including 8.2.6. The root cause is improper input validation (CWE-20) in the 'qcf_validate_form' AJAX endpoint, which accepts a user-controlled parameter that sets the 'from' email address in outgoing messages. Because this endpoint is accessible without authentication, an attacker can supply arbitrary 'from' addresses and send emails to any recipient via the vulnerable server, effectively turning the server into an open mail relay. This can be exploited for spam distribution, phishing, or other malicious email campaigns that leverage the trust of the compromised server's domain. The vulnerability does not expose sensitive data or allow direct system compromise but undermines email integrity and can damage organizational reputation. The CVSS v3.1 score is 5.8 (medium), reflecting network attack vector, no privileges required, no user interaction, and a scope change due to the relay capability. No patches or official fixes are currently linked, and no known exploits have been observed in the wild as of the published date. The vulnerability affects all versions of the Quick Contact Form plugin, which is widely used in WordPress environments, making it a relevant concern for many organizations relying on WordPress for web presence and communication.

The primary impact of this vulnerability is the potential misuse of affected WordPress servers as open mail relays. This can lead to several negative consequences for organizations worldwide: increased spam and phishing emails sent from legitimate domains, damaging the organization's email reputation and potentially causing blacklisting by email providers. This can disrupt legitimate email communications and harm customer trust. Additionally, attackers may use the relay to obfuscate their origin, complicating incident response and attribution. While the vulnerability does not directly compromise system confidentiality or availability, the indirect effects on brand reputation, email deliverability, and potential legal or compliance issues related to spam propagation can be significant. Organizations with high email communication volumes or those in regulated industries may face amplified risks. The vulnerability also increases the attack surface for broader phishing campaigns that could lead to credential theft or malware distribution.

Organizations should immediately audit their WordPress installations to identify the presence of the Quick Contact Form plugin and verify the version in use. Since no official patch links are currently provided, administrators should consider the following mitigations: temporarily disable or remove the Quick Contact Form plugin until a secure update is available; restrict access to the 'qcf_validate_form' AJAX endpoint via web application firewalls (WAFs) or server-level access controls to prevent unauthenticated requests; implement email sending restrictions on the server to prevent unauthorized relaying, such as enforcing strict SMTP authentication and limiting allowed 'from' addresses; monitor outgoing email logs for unusual or unauthorized activity indicative of relay abuse; employ rate limiting on contact form submissions to reduce abuse potential; and stay informed on vendor updates or patches addressing this vulnerability. Additionally, organizations should review their email reputation and implement SPF, DKIM, and DMARC records to help mitigate spoofing and relay abuse consequences.