CVE-2019-25734 - CERT CVE

  1. CVE-2019-25734

ID CVE-2019-25734
Sažetak Contact Form by WD 1.13.1 contains a cross-site request forgery vulnerability combined with local file inclusion that allows unauthenticated attackers to include arbitrary files by exploiting unsanitized action parameters. Attackers can craft malicious forms targeting the admin-ajax.php endpoint with directory traversal sequences in the GET action parameter to load files via CSRF, bypassing authentication on vulnerable AJAX actions.
Reference
CVSS
Base: 4.0
Impact: 1.4
Exploitability:2.5
Pristup
VektorSloženostAutentikacija
LOCAL LOW NONE
Impact
PovjerljivostCjelovitostDostupnost
NONE LOW NONE
CVSS vektor CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Zadnje važnije ažuriranje 04-06-2026 - 15:00
Objavljeno 04-06-2026 - 14:16