PatchSiren cyber security CVE debrief
CVE-2019-25734 Web-Dorado CVE debrief
CVE-2019-25734 is a medium-severity vulnerability in Contact Form by WD 1.13.1. The vulnerability is a cross-site request forgery (CSRF) issue combined with local file inclusion, allowing unauthenticated attackers to include arbitrary files by exploiting unsanitized action parameters. Attackers can craft malicious forms targeting the admin-ajax.php endpoint with directory traversal sequences in the GET action parameter to load files via CSRF, bypassing authentication on vulnerable AJAX actions.
- Vendor
- Web-Dorado
- Product
- Contact Form Maker
- CVSS
- MEDIUM 5.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-04
- Original CVE updated
- 2026-06-04
- Advisory published
- 2026-06-04
- Advisory updated
- 2026-06-04
Who should care
Administrators and users of Contact Form by WD 1.13.1 should be aware of this vulnerability and take necessary actions to mitigate it.
Technical summary
The vulnerability has a CVSS score of 5.1 and is classified as MEDIUM. It allows attackers to include arbitrary files via CSRF, potentially leading to unauthorized access and data breaches.
Defensive priority
MEDIUM
Recommended defensive actions
- Update Contact Form by WD to a version that fixes the CSRF and local file inclusion vulnerabilities.
- Implement additional security measures, such as validating and sanitizing user input, to prevent similar attacks.
Evidence notes
The CVE record and NVD detail can be found at [cve-org] and [nvd], respectively.
Official resources
CVE-2019-25734 was published on 2019-03-26T00:00:00.000Z and modified on 2019-03-26T00:00:00.000Z.