{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-9944", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-09-03T13:05:44.835Z", "datePublished": "2025-09-27T06:47:15.568Z", "dateUpdated": "2026-04-08T17:17:49.749Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:17:49.749Z"}, "affected": [{"vendor": "kelderic", "product": "Professional Contact Form", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.0.0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Professional Contact Form plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.0. This is due to missing or incorrect nonce validation on the watch_for_contact_form_submit function. This makes it possible for unauthenticated attackers to trigger test email sending via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "title": "Professional Contact Form <= 1.0.0 - Cross-Site Request Forgery to Test Email Sending", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b8a82989-e7e7-484a-b619-3897d88872b9?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/professional-contact-form/tags/1.0.0/includes/mailer.php#L31"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-352 Cross-Site Request Forgery (CSRF)", "cweId": "CWE-352", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Nabil Irawan"}], "timeline": [{"time": "2025-09-26T18:37:18.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-09-29T19:10:25.688498Z", "id": "CVE-2025-9944", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-09-29T19:10:36.049Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-9944", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-09-29T19:10:25.688498Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-09-29T19:10:30.592Z"}}], "cna": {"title": "Professional Contact Form <= 1.0.0 - Cross-Site Request Forgery to Test Email Sending", "credits": [{"lang": "en", "type": "finder", "value": "Nabil Irawan"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "kelderic", "product": "Professional Contact Form", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "1.0.0"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-09-26T18:37:18.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b8a82989-e7e7-484a-b619-3897d88872b9?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/professional-contact-form/tags/1.0.0/includes/mailer.php#L31"}], "descriptions": [{"lang": "en", "value": "The Professional Contact Form plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.0. This is due to missing or incorrect nonce validation on the watch_for_contact_form_submit function. This makes it possible for unauthenticated attackers to trigger test email sending via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-352", "description": "CWE-352 Cross-Site Request Forgery (CSRF)"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2025-09-27T06:47:15.568Z"}}}, "cveMetadata": {"cveId": "CVE-2025-9944", "state": "PUBLISHED", "dateUpdated": "2025-09-29T19:10:36.049Z", "dateReserved": "2025-09-03T13:05:44.835Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-09-27T06:47:15.568Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Professional Contact Form plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.0. This is due to missing or incorrect nonce validation on the watch_for_contact_form_submit function. This makes it possible for unauthenticated attackers to trigger test email sending via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "id": "CVE-2025-9944", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-09-27T07:15:35.243", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/professional-contact-form/tags/1.0.0/includes/mailer.php#L31"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b8a82989-e7e7-484a-b619-3897d88872b9?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-20T19:27:22.007822+00:00", "value": {"mitigation_remediation": ["Upgrade the Professional Contact Form plugin to the latest version that implements proper CSRF protection and nonce validation.", "If an update is not available, contact the vendor to request a patch or alternative resolution.", "While awaiting a fix, restrict or disable the test\u2011email functionality in the plugin, or enforce stricter admin authentication controls to prevent accidental execution of the vulnerable request."], "summary": {"action": "Patch", "impact": "Unintended Email Sending"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the kelderic Professional Contact Form plugin for WordPress, in all released versions up to and including 1.0.0. The plugin is available for download and installation from the WordPress plugin repository.", "description_and_impact": "The Professional Contact Form plugin for WordPress contains a Cross\u2011Site Request Forgery flaw caused by missing or incorrect nonce validation in the watch_for_contact_form_submit handler. An unauthenticated attacker can force a site administrator to unknowingly trigger the plugin\u2019s test\u2011email function, causing the server to send emails to arbitrary addresses. This allows the attacker to generate spam or phishing messages from the legitimate site, potentially damaging the site\u2019s reputation and abusing its mail server. The weakness corresponds to CWE\u2011352.", "risk_and_exploitability": "The CVSS score is 4.3, indicating a medium impact level. The EPSS score is less than 1\u202f%, suggesting a very low probability of exploitation at present. The flaw is not listed in the CISA KEV catalog. The likely attack vector requires the attacker to lure a site administrator into clicking a crafted link or submitting a forged request; no network\u2011level exposure is needed. Because the vulnerability is limited to an admin action, the overall risk is moderate, but organizations with active users might still suffer email reputation damage if an attack succeeds."}}}}, "created": "2025-09-29T09:29:50.167531+00:00", "updated": "2026-04-20T19:30:06.169382+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}