CVE-2025-62896: 
WordPress vulnerability analysis and mitigation

Cross-Site Request Forgery (CSRF) vulnerability has been identified in digitaldonkey Multilang Contact Form (multilang-contact-form) WordPress plugin that allows Stored XSS. This vulnerability affects all versions through 1.5. The vulnerability was discovered by Nguyen Xuan Chien and was disclosed on September 26, 2025 (Patchstack).

The vulnerability has been assigned CVE-2025-62896 and received a CVSS v3.1 base score of 8.8 (HIGH). The attack vector is Network-based (N), with Low attack complexity (L), requiring No privileges (N), and User interaction (R). The scope is Unchanged (U), with High impact on Confidentiality (H), Integrity (H), and Availability (H). The vulnerability is classified under CWE-352 (Cross-Site Request Forgery) (NVD, AttackerKB).

The vulnerability could allow a malicious actor to force higher privileged users to execute unwanted actions under their current authentication. The impact is rated as High for confidentiality, integrity, and availability, indicating potential significant compromise of the system's security (Patchstack).

No official fix is currently available as the software appears to be abandoned, having not received updates for over a year. Users are strongly advised to remove and replace the software with an alternative solution. Deactivating the software alone does not remove the security threat unless a virtual patch is deployed (Patchstack).