Skip to main content

Contact Form By Wpforms CVE-2026-25339

| EUVDEUVD-2026-15649 MEDIUM
Insertion of Sensitive Information Into Sent Data (CWE-201)
2026-03-25 Patchstack GHSA-r5wr-5hhj-7hjx
6.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

3
EUVD ID Assigned
Mar 25, 2026 - 16:47 euvd
EUVD-2026-15649
Analysis Generated
Mar 25, 2026 - 16:47 vuln.today
CVE Published
Mar 25, 2026 - 16:14 nvd
MEDIUM 6.5

DescriptionCVE.org

Insertion of Sensitive Information Into Sent Data vulnerability in Syed Balkhi Contact Form by WPForms wpforms-lite allows Retrieve Embedded Sensitive Data.This issue affects Contact Form by WPForms: from n/a through <= 1.9.8.7.

AnalysisAI

Contact Form by WPForms versions up to 1.9.8.7 contain an Insertion of Sensitive Information Into Sent Data vulnerability (CWE-201) that allows attackers to retrieve embedded sensitive data from contact form submissions. This information disclosure flaw affects the popular WordPress plugin maintained by Syed Balkhi, potentially exposing user data submitted through contact forms. While CVSS and EPSS scores are not yet published and KEV/POC status is unknown, the vulnerability was reported through Patchstack and tracked under ENISA EUVD-2026-15649.

Technical ContextAI

Contact Form by WPForms is a widely-used WordPress plugin (CPE: cpe:2.3:a:syed_balkhi:contact_form_by_wpforms:*:*:*:*:*:*:*:*) that provides form-building and submission handling functionality for WordPress sites. The vulnerability stems from CWE-201 (Insertion of Sensitive Information Into Sent Data), which occurs when an application embeds sensitive information in data that is sent to an untrusted entity. In this context, the plugin likely fails to properly sanitize or encrypt sensitive form submission data before transmission or storage, allowing attackers to extract information that should remain confidential. The affected versions range from an unspecified baseline through 1.9.8.7, suggesting the flaw has existed across multiple minor and patch releases.

RemediationAI

Immediately upgrade Contact Form by WPForms to a version later than 1.9.8.7, which should contain a patch addressing the sensitive data insertion flaw. Check the official WPForms plugin page on the WordPress plugin repository or the vendor's website for the patched release. Until an upgrade can be deployed, implement network-level and application-level mitigations: restrict access to contact form endpoints using Web Application Firewall (WAF) rules, enable HTTPS/TLS with strong ciphers to encrypt form data in transit, and review server logs for suspicious access patterns or data extraction attempts. Additionally, audit recent form submissions for any evidence of data exfiltration and notify affected users if sensitive data (e.g., personal identifiers, payment information) was exposed. For detailed patching instructions, consult the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/wpforms-lite/vulnerability/wordpress-contact-form-by-wpforms-plugin-1-9-8-7-sensitive-data-exposure-vulnerability.

Share

CVE-2026-25339 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy