CVE-2026-1394 describes a CSRF vulnerability in the WP Quick Contact Us plugin for WordPress, affecting all versions up to and including 1.0. The issue arises because the plugin does not implement nonce validation when updating its settings, enabling attackers to craft malicious requests that, if executed by an authenticated administrator, can alter plugin settings without proper authorization. The vulnerability requires user interaction (UI:R) and has no direct confidentiality or availability impact but can lead to integrity loss of plugin configuration.

An attacker can cause an authenticated site administrator to unknowingly modify the plugin's settings by tricking them into clicking a malicious link or visiting a crafted webpage. This can lead to unauthorized changes in the plugin configuration, potentially affecting site behavior or security posture. There is no direct impact on confidentiality or availability reported.

No official patch or fix is currently available for this vulnerability. Administrators should exercise caution and avoid interacting with untrusted links or sites while managing plugin settings. Monitor the vendor's advisory channels for updates regarding a patch or official remediation. Implementing additional security controls such as web application firewalls that detect CSRF attempts may provide temporary mitigation.