Shared security patch analysis results
AI Used: claude_cli haiku--- cache/quick-contact-form_8.2.6/legacy/functions/qcf_process_form.php 2026-01-19 00:17:48.827738245 +0000+++ cache/quick-contact-form_8.2.7/legacy/functions/qcf_process_form.php 2026-01-19 00:20:56.487373536 +0000@@ -64,11 +64,8 @@ $content = ''; $auto = qcf_get_stored_autoresponder( $id ); $hd = ( $style['header-type'] ? $style['header-type'] : 'h2' );- $qcfemail = qcf_get_stored_email();- $qcf_email = ( $qcfemail[$id] ? $qcfemail[$id] : get_bloginfo( 'admin_email' ) );- if ( isset( $_GET["email"] ) ) {- $qcf_email = sanitize_email( $_GET["email"] );- }+ $qcfemail = qcf_get_stored_email();+ $qcf_email = ( ! empty( $qcfemail[ $id ] ) ? $qcfemail[ $id ] : get_bloginfo( 'admin_email' ) ); $values['qcfname2'] = ( $values['qcfname2'] ? $values['qcfname2'] : $qcf_email ); if ( !empty( $reply['replytitle'] ) ) { $reply['replytitle'] = apply_filters( 'qcf_reply_title_h2_markup', '<' . $hd . ' class="reply-title">' ) . $reply['replytitle'] . apply_filters( 'qcf_reply_title_end_h2_markup', '</' . $hd . '>' );@@ -269,7 +266,7 @@ } $headers .= "MIME-Version: 1.0\r\n" . "Content-Type: text/html; charset=\"utf-8\"\r\n"; $message = $sendcontent;- $emails = qcf_get_stored_emails( $id );+ $emails = qcf_get_stored_emails( $id ); if ( function_exists( 'qcf_select_email' ) || $emails['emailenable'] ) { $email = qcf_redirect_by_email( $id, $values['qcfname5'] ); if ( $email ) {
I'll analyze this code diff for security vulnerabilities.
Vulnerability Existed: yes
FALSE POSITIVE
SQL Injection / Email Header Injection - CWE-89 / CWE-93 - legacy/functions/qcf_process_form.php - Lines 67-70
Old Code:
```php
if ( isset( $_GET["email"] ) ) {
$qcf_email = sanitize_email( $_GET["email"] );
}
```
Fixed Code:
```php
$qcf_email = ( ! empty( $qcfemail[ $id ] ) ? $qcfemail[ $id ] : get_bloginfo( 'admin_email' ) );
```
Explanation:
The old code accepted user-supplied email addresses directly from the `$_GET` superglobal. While `sanitize_email()` was applied, this function only validates email format and does not prevent header injection attacks. The removed code allowed an attacker to inject email headers (via newline characters like `\r\n`) to add additional recipients, modify subject lines, or inject arbitrary email headers. The fixed code removes this user input vector entirely and uses only pre-stored email addresses from the database via `qcf_get_stored_email()`, eliminating the attack surface. This is a critical security fix as email header injection can lead to email spoofing, spam relay, and sensitive information disclosure.
---
Vulnerability Existed: no
Code Quality Issue - N/A - legacy/functions/qcf_process_form.php - Lines 266-269
Old Code:
```php
$emails = qcf_get_stored_emails( $id );
```
Fixed Code:
```php
$emails = qcf_get_stored_emails( $id );
```
Explanation:
This change is purely cosmetic formatting (extra whitespace alignment). No security vulnerability exists here—it's just code style normalization with no functional or security implications.
The Quick Contact Form plugin for WordPress is vulnerable to Open Mail Relay in all versions up to, and including, 8.2.6. This is due to the 'qcf_validate_form' AJAX endpoint allowing a user controlled parameter to set the 'from' email address. This makes it possible for unauthenticated attackers to send emails to arbitrary recipients utilizing the server. The information is limited to the contact form submission details.
--- cache/quick-contact-form_8.2.6/quick-contact-form.php 2026-01-19 00:17:48.855739981 +0000+++ cache/quick-contact-form_8.2.7/quick-contact-form.php 2026-01-19 00:20:56.519375519 +0000@@ -3,8 +3,8 @@ * Plugin Name: Quick Contact Form * Plugin URI: https://wpexperts.io/ * Description: A really, really simple GDPR compliant contact form. There is nothing to configure, just add your email address and it's ready to go. But you then have access to a huge range of easy to use features.- * Version: 8.2.6- * Author: Fullworks+ * Version: 8.2.7+ * Author: Quick Contact Form * Author URI: https://wpexperts.io/ * Requires PHP: 5.6 * Requires at least: 4.6@@ -53,7 +53,7 @@ $freemius->add_action( 'after_uninstall', array( '\Quick_Contact_Form\Control\Uninstall', 'uninstall' ) ); $plugin = new Plugin( 'quick-contact-form',- '8.2.6',+ '8.2.7', $freemius ); $plugin->run(); @@ -62,5 +62,4 @@ run_Quick_Contact_Form(); } else { die( esc_html__( 'Cannot execute as the plugin already exists, if you have a free version installed deactivate that and try again', 'quick-contact-form' ) );-}-+}\ No newline at end of file
I'll analyze this code diff for security vulnerabilities. Vulnerability Existed: no [No CWE] - N/A - quick-contact-form.php [All lines] Old Code: ``` * Version: 8.2.6 * Author: Fullworks ... '8.2.6', ... } ``` Fixed Code: ``` * Version: 8.2.7 * Author: Quick Contact Form ... '8.2.7', ... } ``` Explanation: This diff contains only administrative and metadata changes: 1. Version number bump from 8.2.6 to 8.2.7 2. Author name change from "Fullworks" to "Quick Contact Form" 3. Removal of trailing newline at end of file These are non-security changes that do not introduce, fix, or relate to any security vulnerabilities. The code functionality remains identical. There are no new inputs being processed, no changes to authentication/authorization logic, no modifications to data handling, sanitization, escaping, or validation routines. No CWE-related vulnerabilities are present in this diff.
The Quick Contact Form plugin for WordPress is vulnerable to Open Mail Relay in all versions up to, and including, 8.2.6. This is due to the 'qcf_validate_form' AJAX endpoint allowing a user controlled parameter to set the 'from' email address. This makes it possible for unauthenticated attackers to send emails to arbitrary recipients utilizing the server. The information is limited to the contact form submission details.