CVE-2025-12718: CWE-20 Improper Input Validation in saadiqbal Quick Contact Form
The Quick Contact Form plugin for WordPress is vulnerable to Open Mail Relay in all versions up to, and including, 8.2.6. This is due to the 'qcf_validate_form' AJAX endpoint allowing a user controlled parameter to set the 'from' email address. This makes it possible for unauthenticated attackers to send emails to arbitrary recipients utilizing the server. The information is limited to the contact form submission details.
AI Analysis
Technical Summary
CVE-2025-12718 affects the Quick Contact Form plugin for WordPress, where improper input validation in the 'qcf_validate_form' AJAX endpoint allows an attacker to specify the 'from' email address arbitrarily. This results in an open mail relay vulnerability, enabling unauthenticated attackers to send emails through the server to arbitrary recipients. The vulnerability is present in all versions up to and including 8.2.6. The CVSS 3.1 base score is 5.8, reflecting medium severity with network attack vector, low attack complexity, no privileges required, no user interaction, and impact limited to integrity (email misuse). No patch or official fix has been documented in the provided data.
Potential Impact
The vulnerability allows unauthenticated attackers to misuse the affected server as an open mail relay, potentially facilitating spam or phishing campaigns by sending emails with arbitrary 'from' addresses. There is no direct impact on confidentiality or availability, but the integrity of email communications can be compromised. This misuse could affect the reputation of the hosting server and lead to blacklisting by email providers.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, administrators should consider disabling or restricting access to the 'qcf_validate_form' AJAX endpoint or implementing server-level email sending restrictions to prevent unauthorized relay. Monitoring outgoing email traffic for unusual patterns may help detect exploitation attempts.
CVE-2025-12718: CWE-20 Improper Input Validation in saadiqbal Quick Contact Form
Description
The Quick Contact Form plugin for WordPress is vulnerable to Open Mail Relay in all versions up to, and including, 8.2.6. This is due to the 'qcf_validate_form' AJAX endpoint allowing a user controlled parameter to set the 'from' email address. This makes it possible for unauthenticated attackers to send emails to arbitrary recipients utilizing the server. The information is limited to the contact form submission details.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2025-12718 affects the Quick Contact Form plugin for WordPress, where improper input validation in the 'qcf_validate_form' AJAX endpoint allows an attacker to specify the 'from' email address arbitrarily. This results in an open mail relay vulnerability, enabling unauthenticated attackers to send emails through the server to arbitrary recipients. The vulnerability is present in all versions up to and including 8.2.6. The CVSS 3.1 base score is 5.8, reflecting medium severity with network attack vector, low attack complexity, no privileges required, no user interaction, and impact limited to integrity (email misuse). No patch or official fix has been documented in the provided data.
Potential Impact
The vulnerability allows unauthenticated attackers to misuse the affected server as an open mail relay, potentially facilitating spam or phishing campaigns by sending emails with arbitrary 'from' addresses. There is no direct impact on confidentiality or availability, but the integrity of email communications can be compromised. This misuse could affect the reputation of the hosting server and lead to blacklisting by email providers.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, administrators should consider disabling or restricting access to the 'qcf_validate_form' AJAX endpoint or implementing server-level email sending restrictions to prevent unauthorized relay. Monitoring outgoing email traffic for unusual patterns may help detect exploitation attempts.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- Wordfence
- Date Reserved
- 2025-11-04T20:55:18.963Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 696af5b4b22c7ad8685027a6
Added to database: 1/17/2026, 2:36:36 AM
Last enriched: 4/9/2026, 9:24:29 AM
Last updated: 5/9/2026, 11:34:07 PM
Views: 168
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.