cleantalk
Vulnerabilities and Security Researches

Quick Contact Form, CVE-2025-12718

CVE, Research URL

CVE-2025-12718

Home page URL

Security reports for Quick Contact Form

Application

Quick Contact Form

Published on
Jan 17, 2026
Research Description
The Quick Contact Form plugin for WordPress is vulnerable to Open Mail Relay in all versions up to, and including, 8.2.6. This is due to the 'qcf_validate_form' AJAX endpoint allowing a user controlled parameter to set the 'from' email address. This makes it possible for unauthenticated attackers to send emails to arbitrary recipients utilizing the server. The information is limited to the contact form submission details.
Affected versions
max 8.2.7.
Status
vulnerable
Previous vulnerability researches
Quick Contact Form (CVE-2022-4974) , Nov 14, 2024
Quick Contact Form (7e32520d86675f60cdeac530f6e120485d98fb69) , Jun 06, 2024
Quick Contact Form (CVE-2023-23885) , Jun 06, 2024
Quick Contact Form (CVE-2022-47608) , Jun 06, 2024
Quick Contact Form (CVE-2025-67471) , Dec 11, 2025
New vulnerability
OOPSpam Anti-Spam (CVE-2026-32544) , Mar 31, 2026
NotificationX – Best FOMO, Social Proof, WooCommerce Sales Popup & Notification Bar Plugin With Elementor (CVE-2026-27042) , Mar 31, 2026
The Conference (CVE-2026-32335) , Mar 31, 2026
WP Booking System – Booking Calendar (CVE-2025-68515) , Mar 31, 2026
UPI QR Code Payment Gateway for WooCommerce (CVE-2025-67969) , Mar 31, 2026