PT-2026-3337 · WordPress · Quick Contact Form
Published
2026-01-17
·
Updated
2026-01-17
·
CVE-2025-12718
CVSS v3.1
5.8
Medium
| Vector | AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
Quick Contact Form plugin for WordPress versions up to and including 8.2.6
Description
The Quick Contact Form plugin for WordPress is susceptible to an Open Mail Relay issue. The
qcf validate form API endpoint allows manipulation of the 'from' email address through a user-controlled parameter. This enables unauthenticated attackers to send emails to arbitrary recipients using the server, leveraging contact form submission details.Recommendations
Update the Quick Contact Form plugin to a version newer than 8.2.6.
Fix
RCE
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Quick Contact Form