CVE-2025-63056

MEDIUM
2025-12-09 [email protected]
4.3
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

2
Analysis Generated
Apr 01, 2026 - 15:22 vuln.today
CVE Published
Dec 09, 2025 - 16:18 nvd
MEDIUM 4.3

Tags

WordPress PHP Authentication Bypass

Description

Missing Authorization vulnerability in bestwebsoft Contact Form by BestWebSoft contact-form-plugin allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Contact Form by BestWebSoft: from n/a through <= 4.3.6.

Analysis

Authenticated users can access sensitive contact form data and functionality they should not have permission to view or modify due to missing authorization checks in Contact Form by BestWebSoft plugin versions up to 4.3.6. The vulnerability allows logged-in attackers with low-level privileges to bypass access controls and view contact information or modify form settings with only network access and no additional user interaction required. This is not actively exploited according to available intelligence, though the access control bypass pattern is a common attack vector.

Technical Context

Contact Form by BestWebSoft is a WordPress plugin that extends WordPress's native contact form functionality. The vulnerability stems from CWE-862 (Missing Authorization), a failure to implement proper access control checks before performing sensitive operations on contact form data and configuration. WordPress plugins handling user-submitted contact information typically store this data in the database and enforce capability checks (like 'manage_options' or plugin-specific capabilities) before allowing access. This plugin fails to verify that the authenticated user making requests possesses the required capability level to access or modify contact form records, configuration, or collected submissions. An authenticated user with the bare minimum WordPress account privileges (such as a 'Subscriber' role) can craft requests to administrative endpoints that should be restricted to administrators or form owners only.

Affected Products

Contact Form by BestWebSoft plugin for WordPress versions from an unspecified base version through 4.3.6 inclusive. CPE data is not provided in available sources, but the plugin is distributed via the official WordPress plugin repository at wordpress.org and is identifiable by the plugin slug 'contact-form-plugin'. Per vendor advisory reference (patchstack.com/database/Wordpress/Plugin/contact-form-plugin), the vulnerability affects all installations of this plugin at 4.3.6 and below.

Remediation

Update Contact Form by BestWebSoft plugin to a patched version released after 4.3.6. Exact patched version number is not provided in available data; consult the vendor advisory at https://patchstack.com/database/Wordpress/Plugin/contact-form-plugin/vulnerability/wordpress-contact-form-by-bestwebsoft-plugin-4-3-5-broken-access-control-vulnerability for the specific minimum version that addresses this issue. Immediate workarounds include: restricting WordPress user registration to trusted accounts only, using a WordPress user role/capability management plugin to deny low-privilege users access to contact form administrative pages, or disabling the Contact Form by BestWebSoft plugin until an update is available. Administrators should review contact form data access logs if available to detect any unauthorized access prior to patching.

Priority Score

22
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +22
POC: 0

Share

CVE-2025-63056 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy