CVE-2025-60169: 
WordPress vulnerability analysis and mitigation

A Cross-Site Request Forgery (CSRF) vulnerability was identified in W3S Cloud Technology's W3SCloud Contact Form 7 to Zoho CRM plugin, affecting versions up to 3.0. The vulnerability was discovered by researcher Nguyen Xuan Chien and was publicly disclosed on September 26, 2025. The issue has been assigned CVE-2025-60169 and received a CVSS v3.1 base score of 7.1 (High) (Patchstack).

The vulnerability is classified as CWE-352 (Cross-Site Request Forgery) and requires no authentication to exploit. The CVSS vector string is CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L, indicating network accessibility, low attack complexity, no privileges required, and user interaction required for exploitation (NVD).

The vulnerability could allow malicious actors to force higher privileged users to execute unwanted actions under their current authentication. The impact affects confidentiality, integrity, and availability, each rated as Low according to the CVSS scoring (Patchstack).

No official fix is currently available for this vulnerability. The software is considered abandoned as it hasn't been updated for over a year. The recommended mitigation strategy is to remove and replace the software with an alternative solution (Patchstack).