The RD Contacto plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.4. This is due to missing or incorrect nonce validation on the rdWappUpdateData() function. This makes it possible for unauthenticated attackers to update plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Metrics
Affected Vendors & Products
References
History
Tue, 08 Jul 2025 18:15:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Metrics |
ssvc
|
Fri, 04 Jul 2025 02:30:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Description | The RD Contacto plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.4. This is due to missing or incorrect nonce validation on the rdWappUpdateData() function. This makes it possible for unauthenticated attackers to update plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | |
Title | RD Contacto <= 1.4 - Cross-Site Request Forgery to Settings Update | |
Weaknesses | CWE-352 | |
References |
| |
Metrics |
cvssV3_1
|

Status: PUBLISHED
Assigner: Wordfence
Published: 2025-07-04T01:44:00.174Z
Updated: 2025-07-08T17:39:27.519Z
Reserved: 2025-06-09T15:17:16.998Z
Link: CVE-2025-5933

Updated: 2025-07-07T19:46:36.068Z

Status : Awaiting Analysis
Published: 2025-07-04T03:15:21.407
Modified: 2025-07-08T16:18:53.607
Link: CVE-2025-5933

No data.