CVE-2025-28864
Published: 11 March 2025
Description
An adversary may rely upon a user clicking a malicious link in order to gain execution.
Security Summary
CVE-2025-28864 is a Cross-Site Request Forgery (CSRF) vulnerability, mapped to CWE-352, in the Builder for Contact Form 7 by Webconstruct WordPress plugin (cf7-builder). This issue affects all versions of the plugin from n/a through 1.2.2, allowing CSRF attacks against the plugin's functionality.
The vulnerability carries a CVSS v3.1 base score of 4.3 (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N), indicating exploitation over the network with low attack complexity, no privileges required, but user interaction needed from the target. Unauthenticated attackers can trick authenticated users, such as site administrators, into submitting malicious requests via a forged webpage, resulting in low-impact integrity effects like unauthorized modifications to plugin settings or data.
The Patchstack advisory documents this CSRF vulnerability in Builder for Contact Form 7 by Webconstruct version 1.2.2, providing details for security practitioners to assess and address exposure in affected WordPress installations: https://patchstack.com/database/Wordpress/Plugin/cf7-builder/vulnerability/wordpress-builder-for-contact-form-7-by-webconstruct-plugin-1-2-2-cross-site-request-forgery-csrf-vulnerability?_s_id=cve.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
CSRF vulnerability in public-facing WordPress plugin enables exploitation of the app (T1190) via attacker-crafted malicious links/webpages that trick authenticated users into performing unauthorized actions (T1204.001).