CVE-2025-62134

2025-12-31 [email protected]

Lifecycle Timeline

2
Analysis Generated
Apr 01, 2026 - 17:44 vuln.today
CVE Published
Dec 31, 2025 - 14:15 nvd
N/A

Tags

WordPress PHP CSRF

Description

Cross-Site Request Forgery (CSRF) vulnerability in A WP Life Contact Form Widget new-contact-form-widget allows Cross Site Request Forgery.This issue affects Contact Form Widget: from n/a through <= 1.5.1.

Analysis

Cross-Site Request Forgery vulnerability in A WP Life Contact Form Widget plugin version 1.5.1 and earlier allows unauthenticated attackers to perform unauthorized actions on behalf of authenticated users by crafting malicious requests. The vulnerability lacks a CVSS score and public exploit code, but is assigned low exploitation probability (EPSS 0.02%) and categorized under CWE-352 (CSRF). No active exploitation has been reported.

Technical Context

The vulnerability is a classic Cross-Site Request Forgery (CWE-352) flaw affecting the A WP Life Contact Form Widget WordPress plugin. CSRF vulnerabilities occur when web applications fail to implement proper state-validation mechanisms, such as nonce verification or CSRF tokens, when processing state-changing requests. WordPress plugins that interact with forms, settings, or user-triggered actions are commonly affected if they do not validate the origin of requests using WordPress nonces or similar CSRF protection mechanisms. The lack of proper request validation allows an attacker to craft malicious HTML or JavaScript that, when visited by an authenticated plugin user, automatically submits requests to the vulnerable plugin without explicit user consent.

Affected Products

The vulnerability affects A WP Life Contact Form Widget (also referenced as Contact Form Widget) WordPress plugin from version 1.5.1 and earlier. The exact affected version range prior to 1.5.1 is not specified in the advisory. Affected installations are those running the plugin on WordPress sites where authenticated users may be targeted by CSRF attacks. See https://patchstack.com/database/Wordpress/Plugin/new-contact-form-widget/vulnerability/wordpress-contact-form-widget-plugin-1-5-1-cross-site-request-forgery-csrf-vulnerability for details.

Remediation

Update the A WP Life Contact Form Widget plugin to the latest version released after 1.5.1. Exact patched version number is not provided in available data; check the plugin's official WordPress.org page or vendor advisory for the current release. If an update is not available, implement temporary mitigation by disabling the plugin until a patch is released. WordPress administrators should ensure all nonces are properly generated and validated in form submissions and verify that the plugin uses WordPress nonces or equivalent CSRF protection mechanisms. See https://patchstack.com/database/Wordpress/Plugin/new-contact-form-widget/vulnerability/wordpress-contact-form-widget-plugin-1-5-1-cross-site-request-forgery-csrf-vulnerability for vendor guidance.

Priority Score

0
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +0
POC: 0

Share

CVE-2025-62134 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy