CVE-2025-54020

2025-07-16 [email protected]

Lifecycle Timeline

2
Analysis Generated
Apr 01, 2026 - 17:43 vuln.today
CVE Published
Jul 16, 2025 - 11:15 nvd
N/A

Tags

WordPress PHP CSRF

Description

Cross-Site Request Forgery (CSRF) vulnerability in Erik AntiSpam for Contact Form 7 cf7-antispam allows Cross Site Request Forgery.This issue affects AntiSpam for Contact Form 7: from n/a through <= 0.6.3.

Analysis

Erik AntiSpam for Contact Form 7 plugin versions through 0.6.3 fails to implement proper CSRF token validation, allowing attackers to forge requests that modify plugin settings or trigger unintended actions on behalf of authenticated administrators. The vulnerability affects WordPress installations with this plugin active, though the extremely low EPSS score (0.02%) suggests practical exploitation barriers or limited real-world impact despite the CVSS categorization.

Technical Context

Cross-Site Request Forgery (CWE-352) occurs when a web application does not properly validate that state-changing requests originate from legitimate, authenticated users rather than attacker-controlled sources. The Erik AntiSpam plugin for Contact Form 7, a WordPress anti-spam extension, lacks adequate CSRF token verification in its administrative functions. This allows an attacker to craft malicious web pages or emails containing requests that, when visited by an authenticated WordPress admin, execute unintended actions within the plugin's configuration or operation without the admin's knowledge or consent. The vulnerability is particularly relevant in WordPress plugin contexts where nonce validation should protect all admin forms.

Affected Products

Erik AntiSpam for Contact Form 7 (WordPress plugin, also referenced as cf7-antispam) versions 0.6.3 and earlier are affected. The exact range is described as 'from n/a through <= 0.6.3,' indicating all released versions up to and including 0.6.3 are vulnerable. The plugin is distributed via the WordPress Plugin Directory. More details are available in the Patchstack vulnerability database entry at https://patchstack.com/database/Wordpress/Plugin/cf7-antispam/vulnerability/wordpress-antispam-for-contact-form-7-plugin-0-6-3-cross-site-request-forgery-csrf-vulnerability.

Remediation

Update Erik AntiSpam for Contact Form 7 to a version newer than 0.6.3 as soon as available. WordPress administrators should navigate to their plugin management dashboard, locate 'AntiSpam for Contact Form 7,' and apply the latest update. If a patched version has not yet been released by the plugin vendor, administrators should consider temporarily deactivating the plugin until an update is available, then monitor the Patchstack database and plugin release notes for patch availability. Ensure all WordPress sites use a security-focused plugin management workflow that includes regular patching and nonce verification audits.

Priority Score

0
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +0
POC: 0

Share

CVE-2025-54020 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy