Skip to main content

CVE-2025-62134

MEDIUM
Cross-Site Request Forgery (CSRF) (CWE-352)
2025-12-31 audit@patchstack.com
5.4
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.4 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
Low

Lifecycle Timeline

3
CVSS changed
Apr 23, 2026 - 15:43 NVD
5.4 (MEDIUM)
Analysis Generated
Apr 01, 2026 - 17:44 vuln.today
CVE Published
Dec 31, 2025 - 14:15 nvd
N/A

DescriptionCVE.org

Cross-Site Request Forgery (CSRF) vulnerability in A WP Life Contact Form Widget new-contact-form-widget allows Cross Site Request Forgery.This issue affects Contact Form Widget: from n/a through <= 1.5.1.

AnalysisAI

Cross-Site Request Forgery vulnerability in A WP Life Contact Form Widget plugin version 1.5.1 and earlier allows unauthenticated attackers to perform unauthorized actions on behalf of authenticated users by crafting malicious requests. The vulnerability lacks a CVSS score and public exploit code, but is assigned low exploitation probability (EPSS 0.02%) and categorized under CWE-352 (CSRF). No active exploitation has been reported.

Technical ContextAI

The vulnerability is a classic Cross-Site Request Forgery (CWE-352) flaw affecting the A WP Life Contact Form Widget WordPress plugin. CSRF vulnerabilities occur when web applications fail to implement proper state-validation mechanisms, such as nonce verification or CSRF tokens, when processing state-changing requests. WordPress plugins that interact with forms, settings, or user-triggered actions are commonly affected if they do not validate the origin of requests using WordPress nonces or similar CSRF protection mechanisms. The lack of proper request validation allows an attacker to craft malicious HTML or JavaScript that, when visited by an authenticated plugin user, automatically submits requests to the vulnerable plugin without explicit user consent.

Affected ProductsAI

The vulnerability affects A WP Life Contact Form Widget (also referenced as Contact Form Widget) WordPress plugin from version 1.5.1 and earlier. The exact affected version range prior to 1.5.1 is not specified in the advisory. Affected installations are those running the plugin on WordPress sites where authenticated users may be targeted by CSRF attacks. See https://patchstack.com/database/Wordpress/Plugin/new-contact-form-widget/vulnerability/wordpress-contact-form-widget-plugin-1-5-1-cross-site-request-forgery-csrf-vulnerability for details.

RemediationAI

Update the A WP Life Contact Form Widget plugin to the latest version released after 1.5.1. Exact patched version number is not provided in available data; check the plugin's official WordPress.org page or vendor advisory for the current release. If an update is not available, implement temporary mitigation by disabling the plugin until a patch is released. WordPress administrators should ensure all nonces are properly generated and validated in form submissions and verify that the plugin uses WordPress nonces or equivalent CSRF protection mechanisms. See https://patchstack.com/database/Wordpress/Plugin/new-contact-form-widget/vulnerability/wordpress-contact-form-widget-plugin-1-5-1-cross-site-request-forgery-csrf-vulnerability for vendor guidance.

Share

CVE-2025-62134 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy