Loading market data...
← Back to CVE feed

CVE-2019-25734

MEDIUM CVSS 4.0 View on NVD ↗

Description

Contact Form by WD 1.13.1 contains a cross-site request forgery vulnerability combined with local file inclusion that allows unauthenticated attackers to include arbitrary files by exploiting unsanitized action parameters. Attackers can craft malicious forms targeting the admin-ajax.php endpoint with directory traversal sequences in the GET action parameter to load files via CSRF, bypassing authentication on vulnerable AJAX actions.

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Published: Jun 04, 2026 14:16 UTC Modified: Jun 04, 2026 15:00 UTC