WordPress Security Bulletin: WP Quick Contact Us Plugin Vulnerability (CVE-2026-1394)

On this page

Security Alert Summary

The WP Quick Contact Us plugin for WordPress contains a Cross-Site Request Forgery (CSRF) vulnerability (CWE-352) that affects all versions up to and including 1.0. Missing nonce validation on the plugin’s settings update functionality allows an attacker to cause a site administrator to unknowingly apply changes via a forged request.


CVE Details

  • CVE ID: CVE-2026-1394
  • Affected component: WP Quick Contact Us plugin for WordPress
  • Affected versions: All versions up to and including 1.0
  • Published: February 14, 2026 at 7:16:10 AM (UTC)
  • Last modified: February 14, 2026 at 7:16:10 AM (UTC)
  • CVSS v3.1: Base Score 4.3, MEDIUM — CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
  • Authentication requirements: None (unauthenticated attacker can initiate a CSRF against an admin)
  • Privileges required: None
  • User interaction: Required (an administrator must be tricked into performing an action such as clicking a link)
  • Primary impact: Confidentiality: None; Integrity: Low; Availability: None
  • Weakness (CWE): CWE-352 (Cross-Site Request Forgery)

Technical Details

The vulnerability is a Cross-Site Request Forgery affecting the plugin’s settings update functionality. According to the advisory, the plugin fails to perform nonce validation when processing settings updates. Because nonces are used in WordPress to ensure that a request originates from an intended user action within the site, the missing nonce check allows an attacker to craft a request that, if an administrator is tricked into visiting, will be accepted and applied by the plugin.

The impact is limited to modification of the plugin’s settings (integrity impact). The advisory does not name specific functions or REST API endpoints beyond the settings update functionality. No confidentiality or availability impacts are indicated in the provided data.


How This Could Impact Your Website

Consider a site with multiple users: a site owner, an internal content editor, and an external contractor who helps maintain pages. If an administrator with access to plugin settings is tricked into loading a malicious link, an attacker could change the WP Quick Contact Us plugin settings without needing to authenticate. Practical consequences may include redirecting contact form submissions to an attacker-controlled address, altering notification recipients, or disabling certain contact features—each of which modifies how site communications are handled.

These changes can increase the risk of targeted phishing or social engineering if contact routing is altered, and can create operational confusion if form messages are no longer delivered to expected recipients. If you’re unsure whether your site is affected or how to assess your current user roles and plugins, it may be worth having a professional review your setup.


Recommended Actions

  • Update the affected plugin as soon as a patched version is available.
  • Review and reduce unnecessary user roles, especially users with administrator or plugin-management capabilities.
  • Enforce strong passwords and enable two-factor authentication for editors and administrators.
  • Remove unused or unmaintained plugins from your site.
  • Monitor site activity and audit logs for unusual changes to plugin settings or unexpected administrator actions.

If you’d like help reviewing your plugins, user roles, or overall WordPress security posture, our team at Freshy is happy to help.


References