{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-5933", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-06-09T15:17:16.998Z", "datePublished": "2025-07-04T01:44:00.174Z", "dateUpdated": "2026-04-08T16:36:13.798Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:36:13.798Z"}, "affected": [{"vendor": "richarddev7", "product": "RD Contacto", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.4", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The RD Contacto plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.4. This is due to missing or incorrect nonce validation on the rdWappUpdateData() function. This makes it possible for unauthenticated attackers to update plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "title": "RD Contacto <= 1.4 - Cross-Site Request Forgery to Settings Update", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/113b3093-18fe-40ae-85af-aae1945201db?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/rd-wapp/trunk/includes/rdwapp-class.php#L35"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-352 Cross-Site Request Forgery (CSRF)", "cweId": "CWE-352", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Nabil Irawan"}], "timeline": [{"time": "2025-07-03T12:22:53.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-07-07T19:46:34.572775Z", "id": "CVE-2025-5933", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-07-08T17:39:27.519Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-5933", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-07-07T19:46:34.572775Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-07-07T19:46:36.068Z"}}], "cna": {"title": "RD Contacto <= 1.4 - Cross-Site Request Forgery to Settings Update", "credits": [{"lang": "en", "type": "finder", "value": "Nabil Irawan"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "richarddev7", "product": "RD Contacto", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.4"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-07-03T12:22:53.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/113b3093-18fe-40ae-85af-aae1945201db?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/rd-wapp/trunk/includes/rdwapp-class.php#L35"}], "descriptions": [{"lang": "en", "value": "The RD Contacto plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.4. This is due to missing or incorrect nonce validation on the rdWappUpdateData() function. This makes it possible for unauthenticated attackers to update plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-352", "description": "CWE-352 Cross-Site Request Forgery (CSRF)"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:36:13.798Z"}}}, "cveMetadata": {"cveId": "CVE-2025-5933", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:36:13.798Z", "dateReserved": "2025-06-09T15:17:16.998Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-07-04T01:44:00.174Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The RD Contacto plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.4. This is due to missing or incorrect nonce validation on the rdWappUpdateData() function. This makes it possible for unauthenticated attackers to update plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}, {"lang": "es", "value": "El complemento RD Contacto para WordPress es vulnerable a Cross-Site Request Forgery en todas las versiones hasta la 1.4 incluida. Esto se debe a la falta o a una validaci\u00f3n incorrecta del nonce en la funci\u00f3n rdWappUpdateData(). Esto permite que atacantes no autenticados actualicen la configuraci\u00f3n del complemento mediante una solicitud falsificada, ya que pueden enga\u00f1ar al administrador del sitio para que realice una acci\u00f3n como hacer clic en un enlace. "}], "id": "CVE-2025-5933", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-07-04T03:15:21.407", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/rd-wapp/trunk/includes/rdwapp-class.php#L35"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/113b3093-18fe-40ae-85af-aae1945201db?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T14:44:21.646798+00:00", "value": {"mitigation_remediation": ["Upgrade the RD Contacto plugin to the latest secure release that includes proper nonce validation.", "If the plugin is no longer needed, uninstall it to remove the vulnerable functionality.", "Train site administrators to recognize social\u2011engineering attempts and avoid clicking suspicious external links that could trigger unintended requests."], "summary": {"action": "Patch", "impact": "Unauthorized modification of plugin settings via CSRF"}, "threat_synthesis": {"affected_systems": "WordPress sites running the RD Contacto plugin by richarddev7, versions 1.4 and earlier, are affected. Any installation of this plugin without upgrading to a newer release is exposed.", "description_and_impact": "The RD Contacto plugin for WordPress is vulnerable to cross\u2011site request forgery in all versions up to and including 1.4. Because the rdWappUpdateData() function lacks proper nonce validation, an attacker can forge a request and cause a logged\u2011in administrator to update plugin settings. This allows the attacker to modify configuration\u2014potentially enabling malicious behavior\u2014without needing valid credentials.", "risk_and_exploitability": "The CVSS score of 4.3 indicates moderate severity, while the EPSS score of less than 1% reflects a low probability of exploitation, and the vulnerability is not listed in the CISA KEV catalog. The exploit requires that the victim be an authenticated administrator who is tricked into visiting a crafted URL\u2014typical of a CSRF attack. Because the attacker does not need to compromise credentials, the risk is present if social engineering succeeds, but the low EPSS suggests it is not a currently widely used vector."}}}}, "created": "2025-07-13T21:47:36.971201+00:00", "updated": "2026-04-22T14:45:19.295880+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}