WordPress Plugin Vulnerabilities

Quick Contact Form < 8.2.7 - Unauthenticated Open Mail Relay

Description

The plugin is vulnerable to Open Mail Relay due to the 'qcf_validate_form' AJAX endpoint allowing a user controlled parameter to set the 'from' email address. This makes it possible for unauthenticated attackers to send emails to arbitrary recipients utilizing the server. The information is limited to the contact form submission details.

Affects Plugins

Fixed in 8.2.7

References

Classification

Type
IDOR
CWE

Miscellaneous

Original Researcher
Md. Moniruzzaman Prodhan (NomanProdhan)
Verified
No

Timeline

Publicly Published
2026-01-16 (about 5 months ago)
Added
2026-01-16 (about 5 months ago)
Last Updated
2026-01-16 (about 5 months ago)

Other