CVE-2019-25734 - Vulnerability Details

Contact Form by WD 1.13.1 contains a cross-site request forgery vulnerability combined with local file inclusion that allows unauthenticated attackers to include arbitrary files by exploiting unsanitized action parameters. Attackers can craft malicious forms targeting the admin-ajax.php endpoint with directory traversal sequences in the GET action parameter to load files via CSRF, bypassing authentication on vulnerable AJAX actions.

Attack Vector Local

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact Low

Subsequent System Integrity Impact Low

Subsequent System Availability Impact Low

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

Vendors	Products
Web-dorado	Contact Form Maker

No data.

References

Link	Providers
http://web-dorado.com/
https://wordpress.org/plugins/contact-form-maker
https://www.exploit-db.com/exploits/46661
https://www.vulncheck.com/advisories/contact-form-by-wd-csrf-to-local-file-inclusion

History

Thu, 04 Jun 2026 13:30:00 +0000

Type	Values Removed	Values Added
Description		Contact Form by WD 1.13.1 contains a cross-site request forgery vulnerability combined with local file inclusion that allows unauthenticated attackers to include arbitrary files by exploiting unsanitized action parameters. Attackers can craft malicious forms targeting the admin-ajax.php endpoint with directory traversal sequences in the GET action parameter to load files via CSRF, bypassing authentication on vulnerable AJAX actions.
Title		Contact Form by WD 1.13.1 CSRF to Local File Inclusion
First Time appeared		Web-dorado Web-dorado contact Form Maker
Weaknesses		CWE-22
CPEs		cpe:2.3:a:web-dorado:contact_form_maker:1.13.1:::::wordpress::
Vendors & Products		Web-dorado Web-dorado contact Form Maker
References		http://web-dorado.com/ https://wordpress.org/plugins/contact-form-maker https://www.exploit-db.com/exploits/46661 https://www.vulncheck.com/advisories/contact-form-by-wd-csrf-to-local-file-inclusion
Metrics		cvssV3_1 `{'score': 4, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}` cvssV4_0 `{'score': 5.1, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L'}`

MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published: 2026-06-04T13:22:40.098Z

Updated: 2026-06-04T13:22:40.098Z

Reserved: 2026-06-04T10:58:50.877Z

Link: CVE-2019-25734

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-06-04T14:16:31.487

Modified: 2026-06-04T14:16:31.487

Link: CVE-2019-25734

Redhat

No data.

OpenCVE Enrichment

No data.

Metrics

Attack Vector Local

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact Low

Subsequent System Integrity Impact Low

Subsequent System Availability Impact Low

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object

JSON object