CVE-2019-25734: Contact Form by WD CSRF & Local File Inclusion Vulnerability
Contact Form by WD version 1.13.1 has a security flaw that combines two weaknesses: a cross-site request forgery (CSRF) vulnerability and local file inclusion (LFI). An unauthenticated attacker can craft a malicious web form that, when visited by an admin, tricks the admin's browser into loading arbitrary files from the server using directory traversal sequences. This bypasses the normal authentication checks on certain WordPress AJAX actions, potentially exposing sensitive files.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 4.0 MEDIUM · CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
- Weaknesses (CWE)
- CWE-22
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-04 / 2026-06-17
NVD description (verbatim)
Contact Form by WD 1.13.1 contains a cross-site request forgery vulnerability combined with local file inclusion that allows unauthenticated attackers to include arbitrary files by exploiting unsanitized action parameters. Attackers can craft malicious forms targeting the admin-ajax.php endpoint with directory traversal sequences in the GET action parameter to load files via CSRF, bypassing authentication on vulnerable AJAX actions.
4 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2019-25734 affects Contact Form by WD 1.13.1 and involves an improper neutralization of special elements used in a file path (CWE-22). The vulnerability chains a CSRF attack with LFI by exploiting unsanitized action parameters in requests to admin-ajax.php. Attackers craft requests containing directory traversal sequences (e.g., ../) in the GET action parameter, which the plugin fails to validate. When an authenticated administrator visits a page hosting the malicious form, the CSRF component causes their browser to submit the request, and the LFI component allows the plugin to include arbitrary files from the server filesystem without proper access controls.
Business impact
An attacker exploiting this vulnerability can read sensitive files stored on the WordPress server, such as configuration files containing database credentials, private keys, or other confidential data. While the CVSS score is MEDIUM (4.0), the integrity impact and reliance on social engineering (admin interaction) limit the severity. However, information disclosure poses a genuine risk to organizations relying on this plugin for form functionality, as compromised credentials could enable lateral movement or further attacks.
Affected systems
Contact Form by WD version 1.13.1 is affected. Organizations using this WordPress plugin in production should verify their deployed version. Administrators and developers responsible for WordPress plugin inventory should identify instances of Contact Form by WD and assess whether they are running 1.13.1 or earlier versions. The vulnerability requires an authenticated administrator to visit a malicious link, so exposure is limited to admin-level WordPress users.
Exploitability
Exploitation requires social engineering to trick an administrator into visiting or interacting with a malicious form. The vulnerability is not remotely exploitable without user interaction, and the attacker cannot force execution. The local attack vector (as indicated by the CVSS vector) suggests the primary risk involves servers where an attacker may have limited local access or the ability to host malicious content that admins might visit. The CVSS score of 4.0 reflects the relatively low base exploitability when accounting for user interaction requirements.
Remediation
Immediately update Contact Form by WD to a patched version released after 1.13.1. Verify the specific version number and release notes against the vendor's official advisory before deployment. As an interim measure, disable the plugin if it is not actively in use, or restrict admin-ajax.php access to known administrative IP ranges using firewall rules or WordPress security plugins. Audit server logs for suspicious requests containing directory traversal sequences targeting admin-ajax.php.
Patch guidance
Check the Contact Form by WD plugin repository or vendor website for a security update addressing CVE-2019-25734. Apply the patch to all affected WordPress installations as soon as available. Test the update in a staging environment first to confirm compatibility with your WordPress version and other plugins. Enable automatic updates for this plugin if your WordPress environment supports it. Document the patch version applied for compliance and inventory purposes.
Detection guidance
Monitor web server and WordPress logs for requests to admin-ajax.php containing directory traversal patterns in the action parameter (e.g., %2e%2e%2f or ../). Use Web Application Firewall (WAF) rules to block requests with unencoded or encoded traversal sequences in query parameters. Deploy WordPress security plugins that can detect and log suspicious AJAX requests. Regular vulnerability scanning of WordPress plugins can identify outdated versions of Contact Form by WD before exploitation occurs.
Why prioritize this
Although the CVSS score is MEDIUM (4.0), this vulnerability should be prioritized for remediation because it enables information disclosure of potentially sensitive files. The exploitation chain, while requiring admin interaction, is straightforward to execute. Organizations with Contact Form by WD installed should treat this as a moderate-priority patch. The fact that it is not yet listed on the Known Exploited Vulnerabilities (KEV) catalog does not diminish its importance—early patching reduces exposure before public exploit code emerges.
Risk score, explained
The CVSS 3.1 score of 4.0 (MEDIUM) reflects an attack vector limited to the local scope (AV:L), low attack complexity (AC:L), no privilege requirements (PR:N), and no user interaction strictly required from a technical standpoint (UI:N). However, in practice, the CSRF component necessitates admin interaction. The score accounts for low integrity impact (I:L) with no confidentiality or availability damage in the base vector. Organizations should contextualize this score within their own risk tolerance; file inclusion vulnerabilities can be more dangerous if sensitive configuration files are accessible.
Frequently asked questions
What versions of Contact Form by WD are vulnerable?
Contact Form by WD version 1.13.1 is confirmed vulnerable. Earlier versions are likely affected; verify against the vendor advisory to confirm which versions contain the fix and update accordingly.
Can this vulnerability be exploited without an administrator visiting a malicious link?
The core vulnerability exists in the plugin code, but practical exploitation requires social engineering to trigger an admin's interaction with a malicious form or CSRF payload. Automated attacks without user interaction are not feasible for this vulnerability.
Does updating to the latest version of Contact Form by WD resolve this issue?
Yes, updating to a patched version after 1.13.1 should resolve the vulnerability. Always verify the patch version and changelog on the official plugin repository before applying.
How can we temporarily mitigate this risk if a patch is not yet available?
Disable the plugin if not actively required, restrict admin-ajax.php access to trusted IPs via firewall or .htaccess, and educate administrators to avoid clicking suspicious links. Monitor logs for exploitation attempts.
This analysis is provided for informational purposes to assist security professionals in vulnerability assessment and remediation planning. No exploit code or weaponized proof-of-concept is included. Verify all patch versions and affected product details against official vendor advisories before implementing any changes. The CVSS score provided reflects the base metric; organizational risk may differ based on deployment context, data sensitivity, and threat landscape. SEC.co does not warrant the completeness or accuracy of vulnerability details beyond those provided by official sources. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2018-25393MEDIUMNavigate CMS 2.8.5 Path Traversal Vulnerability (CVSS 6.5)
- CVE-2018-25421MEDIUMOpen STA Manager 2.3 Path Traversal File Download Vulnerability
- CVE-2019-25740MEDIUMJoomla com_jsjobs Arbitrary File Deletion Vulnerability
- CVE-2024-47263MEDIUMSynology Hyper Backup Path Traversal – Admin Privilege Required
- CVE-2024-47273MEDIUMSynology Hyper Backup Path Traversal Vulnerability (4.3 MEDIUM)
- CVE-2026-0055MEDIUMAndroid Path Traversal in PackageInstallerService Enables Local Privilege Escalation to Device Policy Controller
- CVE-2026-10213MEDIUMAstrBot 4.23.6 Path Traversal in API Endpoint
- CVE-2026-10278MEDIUMPath Traversal in ishayoyo excel-mcp – Exploitation, Detection, and Remediation