WP Zendesk for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms < 1.1.4 – Cross-Site Request Forgery | CVE 2025-32269 | Plugin Vulnerabilities

Description

The WP Zendesk for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.3. This is due to missing or incorrect nonce validation on the settings_page() function. This makes it possible for unauthenticated attackers to update plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Affects Plugins

Fixed in 1.1.4

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/9364c4a3-c43c-43b4-a3e3-14269ca2b928

Classification

Type

CSRF

OWASP top 10

A2: Broken Authentication and Session Management

CWE

CVSS

Miscellaneous

Original Researcher

Nguyen Xuan Chien

Verified

No

WPVDB ID

e9508228-31f8-4207-82a8-2bc7ae71d1d5

Timeline

Publicly Published

2025-04-04 (about 1 year ago)

Added

2025-04-22 (about 11 months ago)

Last Updated

2025-04-22 (about 11 months ago)

Other

Published

Title

Published

2014-08-01

Title

A Forms 1.4.0 - Form Submission CSRF

Published

2022-06-01

Title

New User Approve < 2.4 - Arbitrary Settings Update & Invitation Code Creation via CSRF

Published

2015-09-07

Title

Contact Form Generator < 2.5.5 - Multiple Cross-Site Request Forgery (CSRF)

Published

2025-12-12

Title

Image Slider by Ays- Responsive Slider and Carousel < 2.7.1 - Cross-Site Request Forgery to Arbitrary Slider Deletion

Published

2025-02-03

Title

Indeed API <= 0.5 - Cross-Site Request Forgery to Settings Update