Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Lifecycle Timeline
3DescriptionCVE.org
Insertion of Sensitive Information Into Sent Data vulnerability in Syed Balkhi Contact Form by WPForms wpforms-lite allows Retrieve Embedded Sensitive Data.This issue affects Contact Form by WPForms: from n/a through <= 1.9.8.7.
AnalysisAI
Contact Form by WPForms versions up to 1.9.8.7 contain an Insertion of Sensitive Information Into Sent Data vulnerability (CWE-201) that allows attackers to retrieve embedded sensitive data from contact form submissions. This information disclosure flaw affects the popular WordPress plugin maintained by Syed Balkhi, potentially exposing user data submitted through contact forms. While CVSS and EPSS scores are not yet published and KEV/POC status is unknown, the vulnerability was reported through Patchstack and tracked under ENISA EUVD-2026-15649.
Technical ContextAI
Contact Form by WPForms is a widely-used WordPress plugin (CPE: cpe:2.3:a:syed_balkhi:contact_form_by_wpforms:*:*:*:*:*:*:*:*) that provides form-building and submission handling functionality for WordPress sites. The vulnerability stems from CWE-201 (Insertion of Sensitive Information Into Sent Data), which occurs when an application embeds sensitive information in data that is sent to an untrusted entity. In this context, the plugin likely fails to properly sanitize or encrypt sensitive form submission data before transmission or storage, allowing attackers to extract information that should remain confidential. The affected versions range from an unspecified baseline through 1.9.8.7, suggesting the flaw has existed across multiple minor and patch releases.
RemediationAI
Immediately upgrade Contact Form by WPForms to a version later than 1.9.8.7, which should contain a patch addressing the sensitive data insertion flaw. Check the official WPForms plugin page on the WordPress plugin repository or the vendor's website for the patched release. Until an upgrade can be deployed, implement network-level and application-level mitigations: restrict access to contact form endpoints using Web Application Firewall (WAF) rules, enable HTTPS/TLS with strong ciphers to encrypt form data in transit, and review server logs for suspicious access patterns or data extraction attempts. Additionally, audit recent form submissions for any evidence of data exfiltration and notify affected users if sensitive data (e.g., personal identifiers, payment information) was exposed. For detailed patching instructions, consult the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/wpforms-lite/vulnerability/wordpress-contact-form-by-wpforms-plugin-1-9-8-7-sensitive-data-exposure-vulnerability.
More in Contact Form By Wpforms
View allCross-Site Request Forgery (CSRF) vulnerability in Syed Balkhi Contact Form by WPForms wpforms-lite allows Cross Site Re
Broken access control in the Contact Form by WPForms plugin (versions <= 1.10.0.4) for WordPress allows remote unauthent
Inadequate authorization controls in WPForms Contact Form plugin version 1.9.9.3 and earlier permit authenticated users
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-15649
GHSA-r5wr-5hhj-7hjx