CVE-2025-1382: 
WordPress vulnerability analysis and mitigation

The Contact Us By Lord Linus WordPress plugin through version 2.6 contains multiple security vulnerabilities related to Cross-Site Request Forgery (CSRF) and Cross-Site Scripting (XSS). The vulnerability was discovered and reported on February 16, 2025, and was assigned CVE-2025-1382. This security issue affects all versions of the plugin up to and including version 2.6 (WPScan).

The vulnerability stems from the absence of CSRF checks in certain plugin functionalities, combined with inadequate input sanitization and output escaping. The CVSS v3.1 score is 6.1 (Medium) with the following vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. The technical implementation allows attackers to execute Stored XSS payloads through CSRF attacks when targeting logged-in administrators (NVD, WPScan).

When successfully exploited, this vulnerability allows attackers to inject and store malicious JavaScript code in the website through CSRF attacks. This stored XSS payload would then execute whenever an administrator accesses the affected pages, potentially leading to unauthorized actions performed under the administrator's privileges (WPScan).

Currently, there is no known fix available for this vulnerability. Website administrators using the Contact Us By Lord Linus plugin should consider either removing the plugin or implementing additional security controls until a patch is released (WPScan).