CVE-2015-6965

Contact Form Generator < 2.0.1 - Cross-Site Request Forgery

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2015-6965. PoCs published by i0akiN SEC-LABORATORY.

AI-analyzed exploit summary This is a CSRF exploit for WordPress Contact Form Generator v2.0.1 and below, allowing an attacker to create or update form fields with malicious HTML/JS payloads via crafted POST requests.

Description

Multiple cross-site request forgery (CSRF) vulnerabilities in the Contact Form Generator plugin 2.0.1 and earlier for WordPress allow remote attackers to hijack the authentication of administrators for requests that (1) create a field, (2) update a field, (3) delete a field, (4) create a form, (5) update a form, (6) delete a form, (7) create a template, (8) update a template, (9) delete a template, or (10) conduct cross-site scripting (XSS) attacks via a crafted request to the cfg_forms page in wp-admin/admin.php.

Exploits (1)

exploitdb WORKING POC
by i0akiN SEC-LABORATORY · htmlwebappsphp
https://www.exploit-db.com/exploits/38086

This is a CSRF exploit for WordPress Contact Form Generator v2.0.1 and below, allowing an attacker to create or update form fields with malicious HTML/JS payloads via crafted POST requests.

Classification
Working Poc 95%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: WordPress Contact Form Generator v2.0.1 and below
No auth needed
Prerequisites: Victim must be logged in as an administrator · Vulnerable plugin must be installed
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3
Core References
Third Party Advisory x_refsource_misc
https://wpvulndb.com/vulnerabilities/8176
Exploit exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/38086/

Scores

EPSS 0.0302
EPSS Percentile 85.7%

Details

CWE
CWE-352
Status published
Products (1)
creative-solutions/contact_form_generator < 2.0.1
Published Sep 16, 2015
Tracked Since Feb 18, 2026