CVE-2025-1382 in Contact Us by Lord Linus Plugin
Summary
by MITRE • 03/09/2025
The Contact Us By Lord Linus WordPress plugin through 2.6 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 01/10/2026
The Contact Us By Lord Linus WordPress plugin version 2.6 and earlier contains critical security vulnerabilities that expose WordPress sites to cross-site scripting attacks through insufficient client-side and server-side validation mechanisms. This vulnerability stems from the plugin's failure to implement proper cross-site request forgery protection measures in multiple administrative interfaces. The absence of CSRF tokens in key administrative endpoints creates a fundamental security gap that allows authenticated attackers to execute malicious payloads without user consent.
The technical flaw manifests in two primary areas where the plugin fails to sanitize and escape user inputs before processing them. The first issue involves the lack of CSRF protection mechanisms that should validate the authenticity of requests originating from legitimate administrative sessions. The second vulnerability occurs in input handling where the plugin does not properly sanitize or escape data before storing or rendering it within the WordPress administrative interface. This dual failure creates an environment where malicious actors can inject malicious scripts that persist in the database and execute whenever the affected admin interface is accessed.
The operational impact of this vulnerability is severe as it allows attackers to execute stored cross-site scripting attacks against authenticated administrators. When an administrator visits a compromised page or interacts with the plugin's administrative features, the malicious JavaScript code embedded in the stored payload executes within the context of the administrator's browser session. This gives attackers full administrative privileges and enables them to modify content, steal session cookies, perform unauthorized actions, and potentially compromise the entire WordPress installation. The vulnerability affects any WordPress site running the affected plugin version, making it particularly dangerous in environments with multiple administrators or high-privilege users.
Security standards such as CWE-352 and CWE-79 directly apply to this vulnerability, with CWE-352 covering the insufficient CSRF protection and CWE-79 addressing the cross-site scripting flaws. The ATT&CK framework categorizes this as a privilege escalation technique through web application vulnerabilities, specifically mapping to T1078.004 for valid accounts and T1566 for valid accounts and T1566.001 for spearphishing attachments. The vulnerability chain begins with initial access through a CSRF attack and culminates in persistent malicious code execution within the administrative context.
Mitigation strategies should include immediate plugin updates to version 2.7 or later where these CSRF and sanitization issues have been addressed. Organizations should also implement additional defensive measures such as regular security audits of WordPress plugins, implementing web application firewalls to detect and block suspicious requests, and conducting thorough input validation and output escaping across all plugin interfaces. Administrators should be educated about the risks of visiting untrusted websites while logged into administrative sessions, and organizations should consider implementing Content Security Policy headers to limit the execution of unauthorized scripts within the administrative interface.