Skip to main content

Creative-Solutions Creative Contact Form EUVDEUVD-2025-28469

| CVE-2025-52794 HIGH
Cross-Site Request Forgery (CSRF) (CWE-352)
2025-06-20 audit@patchstack.com
7.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

4
Re-analysis Queued
Apr 23, 2026 - 15:42 vuln.today
cvss_changed
EUVD ID Assigned
Mar 15, 2026 - 00:19 euvd
EUVD-2025-28469
Analysis Generated
Mar 15, 2026 - 00:19 vuln.today
CVE Published
Jun 20, 2025 - 15:15 nvd
HIGH 7.1

DescriptionCVE.org

Cross-Site Request Forgery (CSRF) vulnerability in Creative-Solutions Creative Contact Form allows Stored XSS. This issue affects Creative Contact Form: from n/a through 1.0.0.

AnalysisAI

CVE-2025-52794 is a Cross-Site Request Forgery (CSRF) vulnerability in Creative-Solutions Creative Contact Form (versions up to 1.0.0) that enables Stored XSS attacks. An unauthenticated attacker can craft malicious requests to inject persistent JavaScript payloads through contact form submissions, affecting any user who views the contaminated form data. The vulnerability has a CVSS score of 7.1 (High) with network-based attack vector and low attack complexity, making it readily exploitable in typical web deployments.

Technical ContextAI

This vulnerability combines two distinct attack classes: CSRF (CWE-352) as the primary vector and Stored XSS as the impact. The Creative Contact Form plugin lacks CSRF token validation (anti-CSRF mechanisms) on form submission endpoints, allowing attackers to craft state-changing requests without user authorization. The absence of output encoding or input sanitization permits injected JavaScript to persist in the application's database or session handling, executing in the context of subsequent users' browsers. This affects the Creative-Solutions product line, specifically the Creative Contact Form component versions 1.0.0 and earlier. The vulnerability likely resides in the form processing handler that accepts user input without adequate CSRF protection (missing SameSite cookie attributes, CSRF tokens, or origin validation) and fails to sanitize output when rendering stored contact form data.

RemediationAI

Immediate actions: (1) Disable or remove Creative Contact Form plugin if not actively required; (2) Restrict access to contact form pages via WAF rules or IP allowlisting if feasible; (3) Implement Content Security Policy (CSP) headers to mitigate Stored XSS execution. Patch actions: (1) Monitor Creative-Solutions official advisory/changelog for patched versions > 1.0.0; (2) Apply vendor patch immediately upon release; (3) If no patch is available, implement manual code hardening: add CSRF token validation using industry-standard libraries (e.g., OWASP CSRF Guard), sanitize all form output with HTML entity encoding or a whitelist-based HTML filter (e.g., HTML Purifier). Workarounds: (1) Implement server-side input validation and output encoding; (2) Apply CSP headers with script-src 'self' to block inline/external script injection; (3) Use HTTPOnly and Secure flags on session cookies, combined with SameSite=Strict attribute to limit CSRF impact. Monitoring: Enable logging and alerting on form submission patterns and stored XSS signatures in form data fields.

Share

EUVD-2025-28469 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy